Executive Summary

CVE-2026-40589 is a vulnerability in FreeScout, a self-hosted help desk application, affecting versions prior to 1.8.214. It allows a low-privileged, authenticated non-admin user to edit a visible customer's record and add an email address that belongs to a hidden customer in another mailbox. This causes the system to disclose the hidden customer's name and profile URL, reassign the hidden email to the visible customer, and rebind conversations associated with that email to the visible customer. The root cause is improper authorization checks that allow unauthorized modification of key identifiers across mailboxes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges to take over email addresses from hidden customers in other mailboxes. This leads to unauthorized data manipulation where conversations and email ownership are reassigned improperly. The attacker can see hidden customer details such as their name and profile URL, compromising confidentiality to a limited extent, but more significantly impacting data integrity by modifying ownership and associations of customer emails and conversations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a low-privileged user editing a visible customer's record to add an email address belonging to a hidden customer in another mailbox, which results in unauthorized reassignment of emails and disclosure of hidden customer information.

To detect exploitation attempts on your system, monitor logs for unusual customer record edits where email addresses are reassigned across mailboxes, especially edits performed by low-privileged users.

Specifically, look for log entries indicating changes to customer email fields that reference email addresses not visible or accessible to the editing user.

Since the vulnerability is triggered by editing customer records, commands or queries that audit database changes to the customers table, focusing on email field updates, can help detect suspicious activity.

Example commands might include database queries to identify recent changes to customer emails that cross mailbox boundaries or do not align with user permissions.

However, no specific detection commands or scripts are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade FreeScout to version 1.8.214 or later, where this vulnerability has been fixed.

The fix prevents emails from customers associated with inaccessible mailboxes from being reassigned or moved to other customer profiles by adding proper authorization checks.

Until the upgrade can be applied, consider restricting low-privileged users' ability to edit customer email addresses or limit access to multi-mailbox environments where APP_LIMIT_USER_CUSTOMER_VISIBILITY=true is enabled.

Review and tighten user permissions to prevent unauthorized edits to customer records.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a low-privileged user to reassign email addresses and associated conversations from hidden customers in inaccessible mailboxes to visible customers in accessible mailboxes. This unauthorized data manipulation and disclosure can lead to exposure of personal information and unauthorized access to customer data.

Such unauthorized access and data integrity compromise may violate data protection regulations like GDPR and HIPAA, which require strict controls on personal data confidentiality, integrity, and access permissions.

Specifically, the vulnerability could result in improper disclosure of customer identities and profiles, breaching confidentiality requirements, and unauthorized modification of data, impacting data integrity.

Useful 0 Not Useful 0