Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability.
AnalysisAI
FreeScout prior to version 1.8.215 leaks confidential help desk conversations to authenticated users through global search and AJAX filter endpoints, bypassing per-conversation access controls that should restrict visibility to assigned agents. An authenticated user with any level of helpdesk access can enumerate and view conversations they should not have permission to access via non-folder query builders, revealing sensitive customer and internal communication that the application explicitly restricts in folder views.
Technical ContextAI
FreeScout is a self-hosted help desk platform that manages customer conversations and support tickets. The application implements conversation-level access controls to restrict visibility based on agent assignments - certain conversations should only be visible to assigned team members. However, the authorization logic (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) is inconsistently applied across query paths. Direct conversation views and folder-based queries correctly enforce the 'assigned-only' restriction, but alternative query paths - specifically global search functionality and AJAX filter endpoints - bypass this authorization layer. This inconsistency allows authenticated agents to access restricted conversations through alternate code paths that were not properly secured against information disclosure.
RemediationAI
Upgrade FreeScout to version 1.8.215 or later immediately - this is the vendor-released patch that restores proper authorization checks to global search and AJAX filter endpoints. Apply the patch by downloading the latest release from https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215 and following standard FreeScout update procedures. As a temporary compensating control pending upgrade, restrict access to the global search feature and AJAX filter API endpoints via web server configuration (e.g., nginx location blocks or Apache .htaccess rules) to administrative users only, though this will degrade functionality for regular agents. An additional interim measure is to audit access logs for suspicious global search or AJAX filter queries by non-administrative users and review their conversation history for unauthorized access, but this does not prevent ongoing exploitation. Prioritize patching over workarounds, as the core authorization vulnerability cannot be fully mitigated without code-level fixes.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24191