Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The save_draft AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability.
AnalysisAI
Authorization bypass in FreeScout's draft save functionality allows authenticated users with low privileges to create draft messages in conversations they should not access when APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled. While the conversation view correctly enforces access controls, the save_draft AJAX endpoint fails to validate user permissions, enabling unauthorized information disclosure and message manipulation (CVSS 7.1, High integrity impact). No active exploitation confirmed (not in CISA KEV), but publicly available commit reveals exact vulnerability location. EPSS data not provided, limiting probability assessment.
Technical ContextAI
FreeScout is an open-source PHP-based help desk and shared mailbox system. The vulnerability stems from CWE-863 (Incorrect Authorization), occurring when the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS configuration restricts conversation visibility to assignees and creators only. The application implements two separate authorization checks: one in the conversation view layer (working correctly) and one in the AJAX-based save_draft API endpoint (failing). This architectural inconsistency creates an authorization gap where authenticated users can directly POST to /ajax/save_draft with conversation IDs they don't own, bypassing UI-level restrictions. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation requiring low-privilege authentication but no complexity barriers, while S:U confirms the vulnerability cannot break out of the application's security context.
RemediationAI
Upgrade to FreeScout version 1.8.215 or later, available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. The patch (commit 414878eb79be7cb01a3ae124df6efcd23729275f at https://github.com/freescout-help-desk/freescout/commit/414878eb79be7cb01a3ae124df6efcd23729275f) adds consistent authorization checks to the save_draft AJAX endpoint matching those in the conversation view. For environments unable to immediately upgrade, temporary mitigation involves disabling APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS, which removes the security boundary the vulnerability bypasses but also eliminates conversation isolation between users - acceptable only in single-team deployments without privacy requirements. Alternative compensating control: implement web application firewall rules to log and alert on POST requests to /ajax/save_draft from users not matching conversation ownership patterns, though this requires custom scripting to correlate user sessions with conversation assignments and may generate false positives during legitimate reassignment workflows. No vendor-provided workaround exists; upgrade is the only complete remediation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24195