CVE-2026-40589

Published: Apr 21, 2026Modified: Apr 22, 2026Deferred

7.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Exploitability: 2.8 / Impact: 4.7

Source: security-advisories@github.com (Secondary)

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/freescout-help-desk/freescout/commit/2e2fe37111d92ac665b9ad8806eac94a1a3e502c

Source: security-advisories@github.com

https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214

Source: security-advisories@github.com

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr

Source: security-advisories@github.com

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.