CVE-2026-41183 PUBLISHED

FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations

Assigner: GitHub_M
Reserved: 17.04.2026 Published: 21.04.2026 Updated: 21.04.2026

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	freescout-help-desk
Product	freescout
Versions	Version < 1.8.215 is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE