Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled customer_id, name, to_email, and phone values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying to_email. Version 1.8.214 fixes the vulnerability.
AnalysisAI
Low-privileged agents in FreeScout can escalate mailbox access by exploiting insufficient customer visibility enforcement in phone conversation creation. Attackers with agent credentials for Mailbox A can reference and modify customer records from Mailbox B, adding alias emails to hidden customer profiles and bypassing mailbox isolation boundaries. This constitutes an authentication bypass enabling cross-mailbox data manipulation. Fixed in version 1.8.214. EPSS data not provided; no CISA KEV listing at time of analysis. GitHub security advisory and upstream commit confirm the vulnerability and patch.
Technical ContextAI
FreeScout is a self-hosted help desk system with multi-mailbox architecture designed to isolate customer data between mailboxes. The vulnerability exists in the phone conversation creation API endpoint, which accepts customer_id, name, to_email, and phone parameters from authenticated agents. The backend fails to validate that the referenced customer_id belongs to the mailbox the agent has access to, violating CWE-639 (Authorization Bypass Through User-Controlled Key). This represents a broken access control scenario where object-level authorization is not enforced, allowing horizontal privilege escalation between mailbox contexts. The phone conversation workflow accepts arbitrary customer identifiers and email addresses, directly modifying customer records without scope validation. CPE data not provided in input, but affected product is the FreeScout application prior to version 1.8.214.
RemediationAI
Upgrade to FreeScout version 1.8.214 or later, available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214. The fix implemented in commit 83eea1ca47d97c6cdc90c501734bc2579b014a34 enforces mailbox-scoped customer visibility validation during phone conversation creation. For systems unable to immediately upgrade, implement compensating controls by restricting agent permissions to prevent phone conversation creation, though this significantly limits help desk functionality. Alternatively, audit phone conversation creation API access logs for suspicious cross-mailbox customer_id references and monitor for unexpected customer email alias additions. Post-upgrade, review existing phone conversation records created prior to patching for potentially unauthorized cross-mailbox customer associations and verify customer email alias integrity across all mailboxes. No workaround preserves full functionality; immediate patching is strongly recommended for multi-mailbox deployments.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24187