CVE-2026-41189 PUBLISHED

FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored threads

Assigner: GitHub_M
Reserved: 18.04.2026 Published: 21.04.2026 Updated: 21.04.2026

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit(), which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	freescout-help-desk
Product	freescout
Versions	Version < 1.8.215 is affected

References

Problem Types

CWE-863: Incorrect Authorization CWE