FreeScout EUVD-2026-24193

| CVE-2026-41189 HIGH
Incorrect Authorization (CWE-863)
2026-04-21 [email protected]
Authentication Bypass
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:37 vuln.today

DescriptionNVD

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit(), which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Authorization bypass in FreeScout allows low-privileged authenticated users to edit customer threads in conversations they cannot access. The ThreadPolicy::edit() method validates mailbox access but fails to enforce assigned-only conversation restrictions from ConversationPolicy, enabling unauthorized modification of customer communications with high integrity impact. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all FreeScout installations and document current versions. Within 7 days: Apply vendor patch to FreeScout 1.8.215 or later across all instances. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-24193 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy