FreeScout EUVD-2026-24197

| CVE-2026-41191 HIGH
Incorrect Authorization (CWE-863)
2026-04-21 [email protected]
Authentication Bypass
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:37 vuln.today

DescriptionNVD

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave() persists chat_start_new outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Privilege escalation in FreeScout self-hosted help desk allows authenticated users with limited mailbox signature permissions to modify global chat settings beyond their authorization. The vulnerability (CVE-2026-41191) affects versions prior to 1.8.215 through insufficient input validation in the mailbox update endpoint, enabling low-privileged users to manipulate administrative configuration parameters via crafted POST requests. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all FreeScout deployments and confirm current versions. Within 7 days: Upgrade all affected FreeScout instances to version 1.8.215 or later. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-24197 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy