Executive Summary

CVE-2026-40570 is a vulnerability in FreeScout, a self-hosted help desk system. Before version 1.8.213, the `load_customer_info` action accessed via the POST endpoint `/conversation/ajax` would return complete customer profile data, including all Personally Identifiable Information (PII), to any authenticated user without verifying if they had access to the associated mailbox.

The root cause is a missing authorization check: although the system checked mailbox access to decide whether to show previous conversations, it did not restrict the return of customer data itself. This means that any authenticated user who knows a customer's email address could retrieve that customer's full profile data, regardless of mailbox permissions.

This issue was fixed in version 1.8.213 by adding stricter access control checks to ensure that customer information is only returned if the user has permission to access the mailbox.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with any valid user account to retrieve full customer Personally Identifiable Information (PII) simply by knowing a customer's email address.

The impact includes unauthorized disclosure of sensitive customer data, which can lead to privacy violations, identity theft, and loss of customer trust.

Since the vulnerability bypasses mailbox access controls, it can expose data that should be restricted to certain users, increasing the risk of insider threats or data leaks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the `load_customer_info` action via a POST request to `/conversation/ajax` with a valid authenticated user account and a target customer's email address. If the system returns complete customer profile data without verifying mailbox access, it is vulnerable.

A practical detection method is to use a command-line tool like curl to simulate the vulnerable request:

• curl -X POST -d 'action=load_customer_info&[email protected]&mailbox_id=1' -b 'auth_cookie=your_auth_cookie' https://your-freescout-instance/conversation/ajax

If the response includes full customer Personally Identifiable Information (PII) despite the authenticated user not having access to the mailbox, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.213 or later, where this vulnerability has been fixed by enforcing proper mailbox access checks before returning customer data.

Until the upgrade can be applied, restrict access to the `/conversation/ajax` endpoint to only trusted users and monitor for suspicious requests attempting to access customer information.

Additionally, review and tighten user permissions related to mailbox access to minimize the risk of unauthorized data exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in FreeScout prior to version 1.8.213 allows any authenticated user to retrieve complete customer profile data, including all Personally Identifiable Information (PII), by providing just a valid email address without verifying mailbox access permissions.

This unauthorized disclosure of customer PII represents a failure to enforce proper authorization controls, which can lead to non-compliance with data protection regulations such as GDPR and HIPAA that require strict safeguards around access to personal and sensitive information.

By exposing customer PII to unauthorized users, the vulnerability increases the risk of data breaches and privacy violations, potentially resulting in regulatory penalties and loss of trust.

The issue was fixed in version 1.8.213 by enforcing stricter access control checks to ensure only authorized users with mailbox access can retrieve customer information, thereby helping to maintain compliance with common data protection standards.

Useful 0 Not Useful 0