Inbox Zero Redis Subscription Listener Vulnerability Allows Cross-Account Email Stream Events

A vulnerability in Inbox Zero's email stream feature prior to version 2.29.3 allowed for cross-account event delivery via a shared Redis subscription listener. This issue could result in one authenticated user's thread events being sent to another user simultaneously. The vulnerability was present in versions through 2.29.2 and is now fixed in 2.29.3.

Impact

This vulnerability could lead to unintended cross-account data exposure, where one user's email thread events were shared with another user.

Reproduction

To reproduce this vulnerability, two separate authenticated users must be using the cleaner feature simultaneously. When one user triggers a thread event, it will be delivered to the other user as well, due to the shared Redis subscription listener. This can be tested by having both users active at the same time and observing the cross-delivery of thread events.

Remediation

Users can update to Inbox Zero version 2.29.3 or later to address this vulnerability.