CVE-2026-41190 PUBLISHED

FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection

Assigner: GitHub_M
Reserved: 18.04.2026 Published: 21.04.2026 Updated: 21.04.2026

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The save_draft AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	freescout-help-desk
Product	freescout
Versions	Version < 1.8.215 is affected

References

Problem Types

CWE-863: Incorrect Authorization CWE