Skip to main content

FreeScout EUVDEUVD-2026-28406

| CVE-2026-41903 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-07 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
May 07, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 19:45 vuln.today
Analysis Generated
May 07, 2026 - 19:45 vuln.today
CVE Published
May 07, 2026 - 18:02 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass - the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217.

AnalysisAI

FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.

Technical ContextAI

FreeScout is a PHP-based Laravel help desk application. The vulnerability stems from insufficient permission validation in the notification settings endpoint (CWE-863: Incorrect Authorization). The PERM_EDIT_USERS permission was designed for general user-profile editing but lacks granular checks to prevent cross-user notification subscription manipulation. Laravel's permission model allows role-based access control, but this implementation failed to isolate notification settings from the broader user-editing scope. The vulnerability affects the notification subscription feature, which governs email, browser, and mobile alert delivery channels for security events and task assignments.

RemediationAI

Upgrade FreeScout to version 1.8.217 or later immediately. The vendor has confirmed the fix in release 1.8.217, which implements proper permission checks for the notification settings endpoint (referenced in security advisory GHSA-f489-qxv6-gvgg). As a temporary workaround if immediate upgrade is impossible, restrict the PERM_EDIT_USERS permission to trusted administrators only and regularly audit user-permission assignments to detect unauthorized elevation. Additionally, enable audit logging for permission and notification configuration changes to detect exploitation attempts. Monitor admin notification delivery rates and investigate gaps that may indicate silent disabling. Note that FreeScout should implement endpoint-level permission checks in addition to role-based access to prevent similar vulnerabilities in related features, as evidenced by the CVE-2025-48472 sibling issue.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

EUVD-2026-28406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy