Skip to main content

FreeScout EUVDEUVD-2026-24185

| CVE-2026-40590 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-21 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:38 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24185
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.

AnalysisAI

FreeScout prior to version 1.8.214 permits authenticated users to modify hidden customer profiles through email-based object reuse in the customer creation endpoint. By supplying an email address already associated with a hidden customer via POST /customers/ajax?action=create, an attacker can bypass unique-email validation and populate that customer's empty profile fields with arbitrary data, enabling account takeover or data manipulation without administrative privileges.

Technical ContextAI

FreeScout's customer management system implements a 'Create a new customer' flow accessible through the Change Customer modal. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), where the endpoint validates input based on email uniqueness but fails to enforce visibility restrictions. When a duplicate email is submitted, the application reuses the existing Customer object rather than rejecting the request, allowing authenticated users to modify fields belonging to customers outside their normal authorization scope. The vulnerability is confined to the POST /customers/ajax endpoint with action=create parameter and affects the customer profile object instantiation logic in Customer::create().

RemediationAI

Upgrade FreeScout to version 1.8.214 or later immediately. The vendor has released a patched version that restores unique-email validation and prevents object reuse from hidden customer records. Users unable to upgrade immediately should restrict access to the customer management interface by limiting authenticated user roles - specifically disable or remove the customer creation permission from non-administrative accounts. Additionally, monitor POST requests to /customers/ajax?action=create for suspicious email parameters or requests from unexpected user roles. No additional compensating controls are available short of patching, as the vulnerability is inherent to the endpoint logic.

Share

EUVD-2026-24185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy