CVE-2026-40591
Authorization Bypass in FreeScout Phone Conversation Creation
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.214 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a low-privileged agent to bypass mailbox-scoped customer visibility controls and modify customer records across mailboxes, including adding alias emails to hidden customers. This unauthorized access and modification of customer data could lead to violations of data protection principles such as confidentiality and integrity.
Such unauthorized data modification and potential exposure of customer information may impact compliance with regulations like GDPR and HIPAA, which require strict access controls and protection of personal data to prevent unauthorized access and alteration.
The vulnerability's integrity impact is rated high, and confidentiality impact is low, indicating that while data exposure is limited, unauthorized changes to customer data could undermine regulatory compliance related to data accuracy and protection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a low-privileged agent to modify customer data that should be hidden or inaccessible to them. Specifically, an attacker can link phone conversations in one mailbox to hidden customers in another mailbox and add unauthorized alias emails to those hidden customer records.
The integrity of customer data is compromised because unauthorized modifications can be made, potentially leading to data corruption or misuse.
The CVSS v3.1 score for this vulnerability is 7.1 (High), indicating a significant risk with low attack complexity and no user interaction required.
Can you explain this vulnerability to me?
CVE-2026-40591 is a high-severity authorization vulnerability in FreeScout versions prior to 1.8.214. The issue occurs in the phone conversation creation process, where the backend accepts attacker-controlled parameters such as customer_id, name, to_email, and phone without enforcing mailbox-scoped customer visibility.
This flaw allows a low-privileged agent who can create phone conversations in one mailbox (Mailbox A) to associate a new phone conversation with a hidden customer from another mailbox (Mailbox B). The attacker can also add a new alias email to that hidden customer by supplying the to_email parameter.
The vulnerability arises because the backend does not restrict customer resolution to the mailbox scope, enabling unauthorized cross-mailbox modifications. It is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create a phone conversation in one mailbox (Mailbox A) while specifying a hidden customer ID from another mailbox (Mailbox B) in the customer_id field. If the system allows this cross-mailbox association and modifies the hidden customer record by adding a new alias email, the vulnerability is present.
Detection steps include:
- Log in as a low-privileged agent and obtain a CSRF token.
- Verify that the hidden customer from Mailbox B is not visible in the UI customer selector.
- Use an HTTP request (e.g., curl) to create a phone conversation in Mailbox A, specifying the hidden customer's ID in the customer_id parameter and supplying a to_email value.
- Check if the hidden customer record is modified to include the new alias email and if a new phone conversation linked to the hidden customer exists in the visible mailbox.
Example command using curl (replace placeholders accordingly):
curl -X POST https://your-freescout-instance/api/conversations/phone \ -H "Cookie: session=your_session_cookie" \ -H "X-CSRF-Token: your_csrf_token" \ -d "customer_id=hidden_customer_id&name=Test&[email protected]&phone=1234567890"
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade FreeScout to version 1.8.214 or later, where this vulnerability has been fixed by enforcing mailbox-scoped customer visibility and permission checks.
If upgrading immediately is not possible, consider restricting the ability of low-privileged agents to create phone conversations or modifying access controls to prevent unauthorized customer modifications.
Additionally, monitor logs for suspicious phone conversation creation activities involving unexpected customer IDs or alias email additions.