CVE-2026-39384
Received Received - Intake
Improper Access Control in FreeScout Customer Merge Prior to

Publication date: 2026-04-07

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39384
EUVD
EUVD-2026-19740
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.212 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39384 is a high-severity authorization bypass vulnerability in FreeScout versions prior to 1.8.212, specifically affecting the customer merge functionality.

The vulnerability allows an authenticated user with low privileges to perform a destructive merge operation across mailboxes without proper authorization checks.

By sending a crafted POST request to the endpoint `/customers/{source_id}/merge` with a manipulated `customer2_id` parameter, an attacker can merge a target customer (potentially from a mailbox hidden from the attacker) into a source customer.

This merge causes the target customer to disappear, transfers its emails to the source customer, and reassigns its conversations, effectively bypassing mailbox-level access controls.

The root cause is an authorization bypass where the system fails to properly validate that the user is authorized to merge the specified target customer, allowing manipulation of the key identifying the customer record.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with low privileges to merge customer records across mailbox boundaries without authorization.

As a result, the target customer record disappears, its emails are transferred to another customer, and its conversations are reassigned, leading to unauthorized modification of customer data.

The integrity of customer data is compromised, which can disrupt business operations and cause confusion or loss of data trust.

The vulnerability has a low confidentiality impact and low availability impact, but a high integrity impact.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the authorization bypass using crafted HTTP requests targeting the customer merge endpoint.

Specifically, an authenticated user with low privileges can send a crafted POST request to the endpoint `/customers/{source_id}/merge` with a manipulated `customer2_id` parameter to merge a hidden target customer into a visible source customer.

Detection steps include:

  • Resetting the lab environment with the provided script `setup-customer-merge-lab.sh` to seed the database with test customers.
  • Logging in as an agent with valid credentials.
  • Fetching the merge page for the source customer to extract a CSRF token.
  • Optionally querying the AJAX customer search endpoint to confirm the target customer is hidden and not selectable via the UI.
  • Submitting a crafted POST request using curl or similar tools to the merge endpoint with the hidden target customer's ID, bypassing UI restrictions and authorization checks.

Example commands involve using curl to perform the POST request with the CSRF token and manipulated parameters, as demonstrated in the proof-of-concept scripts.

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.212 or later, where this vulnerability is fixed.

The fix involves enforcing the `limit_user_customer_visibility` parameter during customer merges, ensuring that users cannot merge customers outside their visibility scope.

If upgrading immediately is not possible, restrict access to the customer merge functionality to trusted users only and monitor for suspicious merge activities.

Compliance Impact

The vulnerability in FreeScout prior to version 1.8.212 allows an authenticated user with low privileges to bypass authorization controls and merge customer records across mailbox boundaries without proper permission.

This unauthorized merging can lead to unauthorized modification of customer data, which impacts data integrity and potentially exposes or alters personal or sensitive information.

Such unauthorized data manipulation and potential exposure could negatively affect compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to and modification of personal and sensitive data.

By failing to enforce visibility and authorization restrictions, the vulnerability undermines the principle of least privilege and data access controls mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart