Compliance Impact

The vulnerability allows an authenticated non-admin user to modify profile data of a hidden customer they should not have access to by bypassing unique-email validation and authorization checks.

This unauthorized modification of customer data could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to and modification of personal data.

Specifically, the flaw undermines data integrity and access control, which are key principles in these regulations, by allowing unauthorized users to alter customer profile information.

However, the vulnerability does not impact confidentiality or availability, as indicated by the CVSS score.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40590 is a vulnerability in FreeScout versions prior to 1.8.214 related to the "Create a new customer" functionality accessed via the POST /customers/ajax endpoint with action=create.

When the application is configured to limit user customer visibility (APP_LIMIT_USER_CUSTOMER_VISIBILITY=true), an authenticated non-admin user in a multi-mailbox setup can exploit this flaw.

Specifically, if a hidden customer exists in a mailbox the attacker cannot access, and the attacker has access to another mailbox, the endpoint bypasses unique-email validation when the supplied email matches that of the hidden customer.

As a result, instead of creating a new customer, the system reuses the hidden customer object and fills empty profile fields with attacker-controlled input, allowing unauthorized modification of that hidden customer's profile data.

This vulnerability arises from insufficient authorization checks and improper handling of unique email validation in the affected code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated non-admin user to modify profile data of a hidden customer they should not have access to.

The impact is limited to integrity, meaning the attacker can change certain customer profile fields (such as first name and last name) without authorization.

There is no impact on confidentiality or availability.

Because the attack requires low privileges and no user interaction, it can be exploited relatively easily in affected environments.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the /customers/ajax endpoint with the parameter action=create.

Specifically, look for POST requests that attempt to create or modify customers using email addresses that belong to hidden customers, which should normally be inaccessible.

You can use network monitoring tools or web server logs to identify such requests.

• Use command-line tools like grep or awk on your web server logs to filter POST requests to /customers/ajax with action=create.
• Example command to search Apache or Nginx logs for suspicious requests: grep 'POST /customers/ajax' /var/log/nginx/access.log | grep 'action=create'
• Use curl or similar tools to test if your system is vulnerable by attempting to send a crafted POST request with action=create and an email of a known hidden customer (only in a safe testing environment).

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade FreeScout to version 1.8.214 or later, where the issue has been fixed.

This update includes strict authorization checks that prevent unauthorized users from modifying hidden customer profiles.

If upgrading immediately is not possible, consider restricting access to the /customers/ajax endpoint to trusted users only and review user permissions to limit exposure.

Additionally, monitor logs for suspicious activity as described in the detection steps to identify potential exploitation attempts.

Useful 0 Not Useful 0