CVE-2026-39384
Improper Access Control in FreeScout Customer Merge Prior to
Publication date: 2026-04-07
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.212 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39384 is a high-severity authorization bypass vulnerability in FreeScout versions prior to 1.8.212, specifically affecting the customer merge functionality.
The vulnerability allows an authenticated user with low privileges to perform a destructive merge operation across mailboxes without proper authorization checks.
By sending a crafted POST request to the endpoint `/customers/{source_id}/merge` with a manipulated `customer2_id` parameter, an attacker can merge a target customer (potentially from a mailbox hidden from the attacker) into a source customer.
This merge causes the target customer to disappear, transfers its emails to the source customer, and reassigns its conversations, effectively bypassing mailbox-level access controls.
The root cause is an authorization bypass where the system fails to properly validate that the user is authorized to merge the specified target customer, allowing manipulation of the key identifying the customer record.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with low privileges to merge customer records across mailbox boundaries without authorization.
As a result, the target customer record disappears, its emails are transferred to another customer, and its conversations are reassigned, leading to unauthorized modification of customer data.
The integrity of customer data is compromised, which can disrupt business operations and cause confusion or loss of data trust.
The vulnerability has a low confidentiality impact and low availability impact, but a high integrity impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the authorization bypass using crafted HTTP requests targeting the customer merge endpoint.
Specifically, an authenticated user with low privileges can send a crafted POST request to the endpoint `/customers/{source_id}/merge` with a manipulated `customer2_id` parameter to merge a hidden target customer into a visible source customer.
Detection steps include:
- Resetting the lab environment with the provided script `setup-customer-merge-lab.sh` to seed the database with test customers.
- Logging in as an agent with valid credentials.
- Fetching the merge page for the source customer to extract a CSRF token.
- Optionally querying the AJAX customer search endpoint to confirm the target customer is hidden and not selectable via the UI.
- Submitting a crafted POST request using curl or similar tools to the merge endpoint with the hidden target customer's ID, bypassing UI restrictions and authorization checks.
Example commands involve using curl to perform the POST request with the CSRF token and manipulated parameters, as demonstrated in the proof-of-concept scripts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.212 or later, where this vulnerability is fixed.
The fix involves enforcing the `limit_user_customer_visibility` parameter during customer merges, ensuring that users cannot merge customers outside their visibility scope.
If upgrading immediately is not possible, restrict access to the customer merge functionality to trusted users only and monitor for suspicious merge activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FreeScout prior to version 1.8.212 allows an authenticated user with low privileges to bypass authorization controls and merge customer records across mailbox boundaries without proper permission.
This unauthorized merging can lead to unauthorized modification of customer data, which impacts data integrity and potentially exposes or alters personal or sensitive information.
Such unauthorized data manipulation and potential exposure could negatively affect compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to and modification of personal and sensitive data.
By failing to enforce visibility and authorization restrictions, the vulnerability undermines the principle of least privilege and data access controls mandated by these standards.