Skip to main content

FreeScout EUVDEUVD-2026-24197

| CVE-2026-41191 HIGH
Incorrect Authorization (CWE-863)
2026-04-21 security-advisories@github.com
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:37 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24197
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave() persists chat_start_new outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Privilege escalation in FreeScout self-hosted help desk allows authenticated users with limited mailbox signature permissions to modify global chat settings beyond their authorization. The vulnerability (CVE-2026-41191) affects versions prior to 1.8.215 through insufficient input validation in the mailbox update endpoint, enabling low-privileged users to manipulate administrative configuration parameters via crafted POST requests. CVSS score of 7.1 reflects high integrity impact with low complexity network-based attack requiring only low-level authentication. No active exploitation confirmed in CISA KEV, and EPSS data not available at time of analysis, but the fix is available in version 1.8.215 with a corresponding GitHub commit.

Technical ContextAI

FreeScout is a PHP-based open-source help desk and shared inbox application designed as a free alternative to commercial ticketing systems. The vulnerability resides in the MailboxesController::updateSave() method, which processes mailbox configuration updates. The controller implements a field-level permission system where users with only 'sig' (signature) permission should be restricted to modifying signature-related fields. However, the 'chat_start_new' parameter bypasses the allowed-field filter during persistence, allowing it to be written directly to the database regardless of the user's permission scope. This represents CWE-863 (Incorrect Authorization), where the application fails to enforce authorization checks consistently across all modifiable parameters. The vulnerability exists in the server-side validation logic rather than client-side controls, meaning UI restrictions are insufficient to prevent unauthorized modifications through direct HTTP requests.

RemediationAI

Upgrade immediately to FreeScout version 1.8.215 or later, which contains the authorization enforcement fix in commit fb130de64e1c830d85dd6988eaa08d725a7be954 (https://github.com/freescout-help-desk/freescout/commit/fb130de64e1c830d85dd6988eaa08d725a7be954). Release notes available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. For organizations unable to upgrade immediately, implement temporary compensating controls by restricting network access to the mailbox configuration endpoint (/mailbox/*/update paths) to only fully-privileged administrator accounts via web application firewall rules or reverse proxy authentication, though this may impact legitimate signature editing workflows for restricted users. Alternatively, audit all user accounts with mailbox permissions and temporarily elevate logging for mailbox configuration changes to detect unauthorized modifications, then manually verify chat_start_new settings match intended configuration. Review audit logs retrospectively for POST requests to mailbox update endpoints from accounts with only signature permissions to identify potential past exploitation.

Share

EUVD-2026-24197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy