Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214.
AnalysisAI
Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.
Technical ContextAI
FreeScout is an open-source help desk system built on Laravel (PHP), using a mailbox-based multi-tenancy model where agents have scoped access to specific customer inboxes. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application performs client-side filtering via a search API endpoint but fails to validate the customer_email parameter server-side in the conversation reassignment action. Laravel applications typically use middleware for authorization; this flaw indicates missing or incomplete authorization checks in the ConversationController's conversation_change_customer method. The cpe:2.3:a:freescout-help-desk:freescout designation confirms the vendor and product namespace. The concurrent disclosure of five related customer visibility bugs (all patched in 1.8.214) suggests systemic authorization issues in customer access control logic across multiple endpoints.
RemediationAI
Upgrade immediately to FreeScout version 1.8.214 or later from the official GitHub repository at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214. This release addresses five concurrent customer visibility authorization bypasses (GHSA-p6hg-2cwg-rrx9, GHSA-wjw4-8xg6-342m, GHSA-mv55-3mgv-fxwr, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6), implementing server-side customer access validation in conversation reassignment, phone conversation creation, email move operations, and thread undo actions. For environments unable to upgrade immediately, implement compensating controls by restricting agent privileges to single-mailbox access via Laravel middleware or database-level constraints, eliminating cross-mailbox attack vectors (trade-off: reduces legitimate operational flexibility for multi-mailbox support teams). Monitor application logs for conversation_change_customer POST requests with customer_email parameters outside the agent's assigned mailbox scope (detectable via Laravel query logs comparing customer.mailbox_id against agent permissions). Review audit logs for unauthorized conversation reassignments since deployment, focusing on customer email changes where source and destination customers belong to different mailboxes.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28409