Skip to main content

FreeScout CVE-2026-40570

| EUVDEUVD-2026-24173 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-21 security-advisories@github.com
5.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:38 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24173
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the load_customer_info action in POST /conversation/ajax returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.

AnalysisAI

FreeScout versions prior to 1.8.213 expose complete customer PII through an authentication bypass in the load_customer_info action of POST /conversation/ajax, allowing any authenticated user to retrieve sensitive profile data for arbitrary customers by providing only a valid email address. The vulnerability affects the authorization layer rather than authentication, enabling lateral access to customer records across mailboxes without proper access control verification.

Technical ContextAI

FreeScout is a self-hosted help desk application built on Laravel. The vulnerability exists in the /conversation/ajax endpoint's load_customer_info action, which processes POST requests to fetch customer profile information. The underlying issue is a broken access control flaw (CWE-639) where the endpoint verifies that a user is authenticated (PR:L in CVSS vector) but fails to validate whether that authenticated user has permission to access the specific customer's mailbox or account. This is a classic authorization bypass where authentication is checked but authorization (mailbox membership) is not. The attacker can enumerate customer records by submitting valid email addresses, as no rate-limiting or additional validation gates the retrieval.

RemediationAI

Vendor-released patch: FreeScout version 1.8.213 or later. Upgrade immediately by pulling the latest release from the official FreeScout GitHub repository (https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213) or applying the upstream fix from commit f35b4249c72d9bdac6ab1ea4e288f5894be34057. If immediate patching is not possible, implement access control validation in the /conversation/ajax endpoint to verify that the authenticated user belongs to the mailbox associated with the requested customer record before returning profile data. Additionally, audit FreeScout user access logs to identify any suspicious cross-mailbox customer information lookups during the period before patching. Consider temporarily restricting non-administrative user access to the /conversation/ajax endpoint if business operations permit.

Share

CVE-2026-40570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy