Skip to main content

Freescout CVE-2026-39384

| EUVDEUVD-2026-19740 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-07 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 18:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:04 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.212
EUVD ID Assigned
Apr 07, 2026 - 16:30 euvd
EUVD-2026-19740
Analysis Generated
Apr 07, 2026 - 16:30 vuln.today
CVE Published
Apr 07, 2026 - 16:05 nvd
HIGH 7.6

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.

AnalysisAI

Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.

Technical ContextAI

FreeScout is an open-source help desk and shared inbox application built on PHP's Laravel framework. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the customer merge functionality fails to enforce the limit_user_customer_visibility access control parameter. This parameter is designed to implement multi-tenancy or customer segmentation by restricting which customer records an authenticated agent can access. During merge operations-a common administrative task for consolidating duplicate customer entries-the application does not validate whether the authenticated user has authorization to access both source and target customer records. The affected product is identified by CPE cpe:2.3:a:freescout-help-desk:freescout, indicating this is specific to the FreeScout help desk platform. The flaw represents a classic horizontal privilege escalation where users can manipulate resources belonging to other users at the same privilege level.

RemediationAI

Upgrade FreeScout to version 1.8.212 or later, which contains the authorization enforcement fix. The patch is available via the upstream repository, with the specific commit b395a1179117af5e2df704c6bad71feeb301b4ce addressing this vulnerability at https://github.com/freescout-help-desk/freescout/commit/b395a1179117af5e2df704c6bad71feeb301b4ce. Organizations should prioritize this upgrade if they use customer visibility restrictions to enforce data segmentation. As a temporary workaround until patching, restrict customer merge permissions to only fully-privileged administrators who have access to all customer records, or temporarily disable the customer merge feature if business operations permit. Review audit logs for any suspicious customer merge operations performed by restricted agents during the vulnerability window. Verify the limit_user_customer_visibility configuration is properly enforced after upgrade by testing merge operations with restricted user accounts.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-39384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy