Skip to main content

FreeScout CVE-2026-41189

| EUVDEUVD-2026-24193 HIGH
Incorrect Authorization (CWE-863)
2026-04-21 security-advisories@github.com
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:37 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24193
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit(), which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Authorization bypass in FreeScout allows low-privileged authenticated users to edit customer threads in conversations they cannot access. The ThreadPolicy::edit() method validates mailbox access but fails to enforce assigned-only conversation restrictions from ConversationPolicy, enabling unauthorized modification of customer communications with high integrity impact. Vendor patch released in version 1.8.215 with fix commit confirmed in GitHub advisory GHSA-4h5p-7f5c-q7gj. No public exploit identified at time of analysis, CVSS 7.1 (High) with low attack complexity indicates straightforward exploitation once authenticated.

Technical ContextAI

FreeScout is an open-source self-hosted help desk and shared mailbox application built on PHP/Laravel. The vulnerability stems from CWE-863 (Incorrect Authorization) in the policy enforcement layer. Laravel applications typically use policy classes to authorize resource access - FreeScout implements ThreadPolicy and ConversationPolicy separately. The flaw occurs because ThreadPolicy::edit() validates whether a user has mailbox-level access but does not inherit or check the assigned-only filtering logic from ConversationPolicy. This creates an inconsistent authorization boundary where conversation-level visibility restrictions (which may limit users to only their assigned tickets) are bypassed when directly editing thread resources. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation requiring only low-privileged authentication, with high integrity impact (I:H) from unauthorized thread modification and low confidentiality impact (C:L) from indirect data exposure through edit capabilities.

RemediationAI

Upgrade FreeScout to version 1.8.215 or later immediately, as confirmed by vendor release at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. The fix commit (cdadaf621bb1e1d017315df20d743671f7eae7a9) modifies ThreadPolicy to properly inherit conversation access restrictions, resolving the authorization bypass. For environments unable to upgrade immediately, implement compensating controls by restricting user account creation and auditing thread edit operations through application logs to detect unauthorized modifications. Review user permissions and consider temporarily elevating all users to full conversation access (eliminating assigned-only restrictions) if the authorization gap poses greater risk than broader access - this trades the vulnerability for intentional permission expansion with compensating audit controls. Database-level triggers could log thread edits with user context for forensic review, though this adds complexity and does not prevent exploitation. All compensating controls carry operational overhead and reduced security posture compared to applying the vendor patch.

Share

CVE-2026-41189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy