Skip to main content

FreeScout CVE-2026-40589

| EUVDEUVD-2026-24184 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-21 security-advisories@github.com
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:36 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24184
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
HIGH 7.6

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue.

AnalysisAI

Privilege escalation in FreeScout versions prior to 1.8.214 allows low-privileged agents to hijack hidden customer email addresses across mailbox boundaries, disclosing confidential customer names, profile URLs, and reassigning conversations from restricted mailboxes to attacker-controlled customer records. The vulnerability enables authenticated agents to bypass mailbox isolation controls and access data they should not see. CVSS score of 7.6 (High) reflects network-exploitable access with high integrity impact; EPSS and KEV data not provided in intelligence sources.

Technical ContextAI

FreeScout is a self-hosted help desk and shared mailbox system written in PHP, designed for multi-tenant customer support environments where agents have restricted visibility into different mailboxes. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the customer editing functionality fails to validate mailbox isolation boundaries when processing email address updates. When an agent edits a customer record visible to them and assigns an email address that belongs to a hidden customer in another mailbox, the server-side logic incorrectly processes the reassignment without checking cross-mailbox permissions. The application returns the hidden customer's metadata (name, profile URL) in the success response and migrates conversation history tied to that email address to the newly visible customer record, effectively breaking the mailbox segregation model that underpins multi-tenant security in help desk systems.

RemediationAI

Upgrade to FreeScout version 1.8.214 or later immediately, available from the official GitHub repository at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214. The fix is implemented in commit 2e2fe37111d92ac665b9ad8806eac94a1a3e502c, which adds server-side validation to prevent email address reassignments across mailbox boundaries. Review the GitHub Security Advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr for additional vendor guidance. If immediate patching is not feasible, implement compensating controls: restrict agent-level customer editing permissions through role-based access controls (note: this may reduce operational flexibility for legitimate support workflows), audit recent customer edit actions in application logs for suspicious email address changes, and implement network-level access restrictions so agents can only access FreeScout from controlled environments. These workarounds are incomplete mitigations since they rely on administrative enforcement rather than technical controls; upgrading remains the definitive fix.

Share

CVE-2026-40589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy