Skip to main content

FreeScout CVE-2026-41190

| EUVDEUVD-2026-24195 HIGH
Incorrect Authorization (CWE-863)
2026-04-21 security-advisories@github.com
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:37 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24195
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The save_draft AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Authorization bypass in FreeScout's draft save functionality allows authenticated users with low privileges to create draft messages in conversations they should not access when APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled. While the conversation view correctly enforces access controls, the save_draft AJAX endpoint fails to validate user permissions, enabling unauthorized information disclosure and message manipulation (CVSS 7.1, High integrity impact). No active exploitation confirmed (not in CISA KEV), but publicly available commit reveals exact vulnerability location. EPSS data not provided, limiting probability assessment.

Technical ContextAI

FreeScout is an open-source PHP-based help desk and shared mailbox system. The vulnerability stems from CWE-863 (Incorrect Authorization), occurring when the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS configuration restricts conversation visibility to assignees and creators only. The application implements two separate authorization checks: one in the conversation view layer (working correctly) and one in the AJAX-based save_draft API endpoint (failing). This architectural inconsistency creates an authorization gap where authenticated users can directly POST to /ajax/save_draft with conversation IDs they don't own, bypassing UI-level restrictions. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation requiring low-privilege authentication but no complexity barriers, while S:U confirms the vulnerability cannot break out of the application's security context.

RemediationAI

Upgrade to FreeScout version 1.8.215 or later, available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. The patch (commit 414878eb79be7cb01a3ae124df6efcd23729275f at https://github.com/freescout-help-desk/freescout/commit/414878eb79be7cb01a3ae124df6efcd23729275f) adds consistent authorization checks to the save_draft AJAX endpoint matching those in the conversation view. For environments unable to immediately upgrade, temporary mitigation involves disabling APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS, which removes the security boundary the vulnerability bypasses but also eliminates conversation isolation between users - acceptable only in single-team deployments without privacy requirements. Alternative compensating control: implement web application firewall rules to log and alert on POST requests to /ajax/save_draft from users not matching conversation ownership patterns, though this requires custom scripting to correlate user sessions with conversation assignments and may generate false positives during legitimate reassignment workflows. No vendor-provided workaround exists; upgrade is the only complete remediation.

Share

CVE-2026-41190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy