Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave() persists chat_start_new outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.
AnalysisAI
Privilege escalation in FreeScout self-hosted help desk allows authenticated users with limited mailbox signature permissions to modify global chat settings beyond their authorization. The vulnerability (CVE-2026-41191) affects versions prior to 1.8.215 through insufficient input validation in the mailbox update endpoint, enabling low-privileged users to manipulate administrative configuration parameters via crafted POST requests. CVSS score of 7.1 reflects high integrity impact with low complexity network-based attack requiring only low-level authentication. No active exploitation confirmed in CISA KEV, and EPSS data not available at time of analysis, but the fix is available in version 1.8.215 with a corresponding GitHub commit.
Technical ContextAI
FreeScout is a PHP-based open-source help desk and shared inbox application designed as a free alternative to commercial ticketing systems. The vulnerability resides in the MailboxesController::updateSave() method, which processes mailbox configuration updates. The controller implements a field-level permission system where users with only 'sig' (signature) permission should be restricted to modifying signature-related fields. However, the 'chat_start_new' parameter bypasses the allowed-field filter during persistence, allowing it to be written directly to the database regardless of the user's permission scope. This represents CWE-863 (Incorrect Authorization), where the application fails to enforce authorization checks consistently across all modifiable parameters. The vulnerability exists in the server-side validation logic rather than client-side controls, meaning UI restrictions are insufficient to prevent unauthorized modifications through direct HTTP requests.
RemediationAI
Upgrade immediately to FreeScout version 1.8.215 or later, which contains the authorization enforcement fix in commit fb130de64e1c830d85dd6988eaa08d725a7be954 (https://github.com/freescout-help-desk/freescout/commit/fb130de64e1c830d85dd6988eaa08d725a7be954). Release notes available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. For organizations unable to upgrade immediately, implement temporary compensating controls by restricting network access to the mailbox configuration endpoint (/mailbox/*/update paths) to only fully-privileged administrator accounts via web application firewall rules or reverse proxy authentication, though this may impact legitimate signature editing workflows for restricted users. Alternatively, audit all user accounts with mailbox permissions and temporarily elevate logging for mailbox configuration changes to detect unauthorized modifications, then manually verify chat_start_new settings match intended configuration. Review audit logs retrospectively for POST requests to mailbox update endpoints from accounts with only signature permissions to identify potential past exploitation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24197