CVE-2026-40590

Published: Apr 21, 2026Modified: Apr 22, 2026Deferred

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/freescout-help-desk/freescout/commit/b3d7611e6e173ed8a5e525b791deb6b32cf1ce62

Source: security-advisories@github.com

https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214

Source: security-advisories@github.com

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m

Source: security-advisories@github.com

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.