Skip to main content

FreeScout CVE-2026-41906

| EUVDEUVD-2026-28409 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-07 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
May 07, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 19:46 vuln.today
Analysis Generated
May 07, 2026 - 19:46 vuln.today
CVE Published
May 07, 2026 - 18:09 nvd
HIGH 7.1

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214.

AnalysisAI

Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.

Technical ContextAI

FreeScout is an open-source help desk system built on Laravel (PHP), using a mailbox-based multi-tenancy model where agents have scoped access to specific customer inboxes. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application performs client-side filtering via a search API endpoint but fails to validate the customer_email parameter server-side in the conversation reassignment action. Laravel applications typically use middleware for authorization; this flaw indicates missing or incomplete authorization checks in the ConversationController's conversation_change_customer method. The cpe:2.3:a:freescout-help-desk:freescout designation confirms the vendor and product namespace. The concurrent disclosure of five related customer visibility bugs (all patched in 1.8.214) suggests systemic authorization issues in customer access control logic across multiple endpoints.

RemediationAI

Upgrade immediately to FreeScout version 1.8.214 or later from the official GitHub repository at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214. This release addresses five concurrent customer visibility authorization bypasses (GHSA-p6hg-2cwg-rrx9, GHSA-wjw4-8xg6-342m, GHSA-mv55-3mgv-fxwr, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6), implementing server-side customer access validation in conversation reassignment, phone conversation creation, email move operations, and thread undo actions. For environments unable to upgrade immediately, implement compensating controls by restricting agent privileges to single-mailbox access via Laravel middleware or database-level constraints, eliminating cross-mailbox attack vectors (trade-off: reduces legitimate operational flexibility for multi-mailbox support teams). Monitor application logs for conversation_change_customer POST requests with customer_email parameters outside the agent's assigned mailbox scope (detectable via Laravel query logs comparing customer.mailbox_id against agent permissions). Review audit logs for unauthorized conversation reassignments since deployment, focusing on customer email changes where source and destination customers belong to different mailboxes.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-41906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy