Skip to main content

FreeScout CVE-2026-41183

| EUVDEUVD-2026-24191 MEDIUM
Information Exposure (CWE-200)
2026-04-21 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:38 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24191
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability.

AnalysisAI

FreeScout prior to version 1.8.215 leaks confidential help desk conversations to authenticated users through global search and AJAX filter endpoints, bypassing per-conversation access controls that should restrict visibility to assigned agents. An authenticated user with any level of helpdesk access can enumerate and view conversations they should not have permission to access via non-folder query builders, revealing sensitive customer and internal communication that the application explicitly restricts in folder views.

Technical ContextAI

FreeScout is a self-hosted help desk platform that manages customer conversations and support tickets. The application implements conversation-level access controls to restrict visibility based on agent assignments - certain conversations should only be visible to assigned team members. However, the authorization logic (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) is inconsistently applied across query paths. Direct conversation views and folder-based queries correctly enforce the 'assigned-only' restriction, but alternative query paths - specifically global search functionality and AJAX filter endpoints - bypass this authorization layer. This inconsistency allows authenticated agents to access restricted conversations through alternate code paths that were not properly secured against information disclosure.

RemediationAI

Upgrade FreeScout to version 1.8.215 or later immediately - this is the vendor-released patch that restores proper authorization checks to global search and AJAX filter endpoints. Apply the patch by downloading the latest release from https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215 and following standard FreeScout update procedures. As a temporary compensating control pending upgrade, restrict access to the global search feature and AJAX filter API endpoints via web server configuration (e.g., nginx location blocks or Apache .htaccess rules) to administrative users only, though this will degrade functionality for regular agents. An additional interim measure is to audit access logs for suspicious global search or AJAX filter queries by non-administrative users and review their conversation history for unauthorized access, but this does not prevent ongoing exploitation. Prioritize patching over workarounds, as the core authorization vulnerability cannot be fully mitigated without code-level fixes.

Share

CVE-2026-41183 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy