Skip to main content

FreeScout EUVDEUVD-2026-24221

| CVE-2026-41192 HIGH
Missing Authorization (CWE-862)
2026-04-21 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:48 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:45 euvd
EUVD-2026-24221
Analysis Generated
Apr 21, 2026 - 17:45 vuln.today
CVE Published
Apr 21, 2026 - 17:12 nvd
HIGH 7.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in attachments_all[] but omitted from retained lists are decrypted and passed directly to Attachment::deleteByIds(). Because load_attachments returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through save_draft and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. With CVSS 7.1 (AV:N/AC:L/PR:L) and EPSS data unavailable, risk depends heavily on whether attackers have mailbox credentials and access to shared conversations. GitHub commit 5f182818e confirms the fix validates attachment ownership before deletion.

Technical ContextAI

FreeScout is an open-source PHP-based help desk and shared mailbox application (cpe:2.3:a:freescout-help-desk:freescout). The vulnerability stems from CWE-862 (Missing Authorization) in the attachment management subsystem. The application encrypts attachment IDs before sending them to clients, but the reply and draft-saving endpoints (save_draft) perform decryption without verifying that the submitting user has authorization to modify those specific attachments. When a user saves a draft and omits attachment IDs from retained lists (attachments_all[] parameter), the backend interprets omitted IDs as deletion requests and passes them to Attachment::deleteByIds() without ownership validation. An authenticated user who can view any conversation can call load_attachments to obtain encrypted IDs for all attachments in that conversation, then replay those IDs through their own draft operations to trigger unauthorized deletions. The encryption of IDs provides no security boundary here since any legitimate user can obtain valid encrypted tokens for visible attachments.

RemediationAI

Upgrade to FreeScout version 1.8.215 or later, released at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. The fix commit (5f182818e2391f8e711fec6ae6648ac0b367bef5 at https://github.com/freescout-help-desk/freescout/commit/5f182818e2391f8e711fec6ae6648ac0b367bef5) implements authorization validation before attachment deletion operations. For systems unable to upgrade immediately, implement network-level access restrictions limiting mailbox access to trusted users only, and audit user permissions to minimize the number of accounts with mailbox access (reducing attack surface). Enable application logging to monitor attachment deletion events and investigate anomalous bulk deletion patterns. Note that restricting draft-saving functionality would break core application features, so access control hardening is the only viable short-term mitigation until patching. Review recent attachment deletion logs for unauthorized activity if exploitation is suspected.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

EUVD-2026-24221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy