Skip to main content

FreeScout EUVDEUVD-2026-24189

| CVE-2026-40592 MEDIUM
Missing Authorization (CWE-862)
2026-04-21 security-advisories@github.com
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:38 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24189
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route GET /conversation/undo-reply/{thread_id} checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability.

AnalysisAI

FreeScout versions prior to 1.8.214 allow authenticated agents in shared mailboxes to recall another agent's reply within a 15-second undo window due to insufficient authorization checks on the undo-send endpoint. The vulnerability requires agent-level authentication and shared mailbox access but enables one user to suppress a colleague's outbound communication, affecting message integrity and audit trails in multi-agent help desk environments.

Technical ContextAI

FreeScout is a self-hosted help desk platform that supports shared mailbox functionality where multiple agents collaborate on customer conversations. The vulnerability exists in the undo-reply route (GET /conversation/undo-reply/{thread_id}) which implements authorization through a conversation-view permission check (CWE-862: Missing Authorization). This authorization model fails to distinguish between users who can view a conversation and users who authored a specific reply. In multi-agent environments, any agent with mailbox access can invoke the undo endpoint for any reply visible in that mailbox, regardless of authorship. The 15-second undo window creates a narrow but exploitable race condition during active support sessions.

RemediationAI

Upgrade FreeScout to version 1.8.214 or later immediately, which implements proper authorization checks to verify that the user invoking undo-reply is the original author of the reply being undone. If immediate upgrade is not possible, restrict agent access to the undo-reply endpoint via reverse proxy or web application firewall rules (e.g., block GET /conversation/undo-reply/ at network layer) - this disables undo functionality for all users until patch is applied but prevents cross-user reply suppression. Alternatively, enforce strict time-limited session management for help desk agents (15-second or shorter session re-authentication) to reduce the likelihood that an attacker maintains active session access during the undo window, though this is a compensating control with significant UX impact. Verify the fix via the commit https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d and official release tag 1.8.214.

Share

EUVD-2026-24189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy