CVE-2026-40591
Received Received - Intake
Authorization Bypass in FreeScout Phone Conversation Creation

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40591
EUVD
EUVD-2026-24187
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.214 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing a low-privileged agent to modify customer data that should be hidden or inaccessible to them. Specifically, an attacker can link phone conversations in one mailbox to hidden customers in another mailbox and add unauthorized alias emails to those hidden customer records.

The integrity of customer data is compromised because unauthorized modifications can be made, potentially leading to data corruption or misuse.

The CVSS v3.1 score for this vulnerability is 7.1 (High), indicating a significant risk with low attack complexity and no user interaction required.

Executive Summary

CVE-2026-40591 is a high-severity authorization vulnerability in FreeScout versions prior to 1.8.214. The issue occurs in the phone conversation creation process, where the backend accepts attacker-controlled parameters such as customer_id, name, to_email, and phone without enforcing mailbox-scoped customer visibility.

This flaw allows a low-privileged agent who can create phone conversations in one mailbox (Mailbox A) to associate a new phone conversation with a hidden customer from another mailbox (Mailbox B). The attacker can also add a new alias email to that hidden customer by supplying the to_email parameter.

The vulnerability arises because the backend does not restrict customer resolution to the mailbox scope, enabling unauthorized cross-mailbox modifications. It is classified under CWE-639: Authorization Bypass Through User-Controlled Key.

Detection Guidance

This vulnerability can be detected by attempting to create a phone conversation in one mailbox (Mailbox A) while specifying a hidden customer ID from another mailbox (Mailbox B) in the customer_id field. If the system allows this cross-mailbox association and modifies the hidden customer record by adding a new alias email, the vulnerability is present.

Detection steps include:

  • Log in as a low-privileged agent and obtain a CSRF token.
  • Verify that the hidden customer from Mailbox B is not visible in the UI customer selector.
  • Use an HTTP request (e.g., curl) to create a phone conversation in Mailbox A, specifying the hidden customer's ID in the customer_id parameter and supplying a to_email value.
  • Check if the hidden customer record is modified to include the new alias email and if a new phone conversation linked to the hidden customer exists in the visible mailbox.

Example command using curl (replace placeholders accordingly):

curl -X POST https://your-freescout-instance/api/conversations/phone \ -H "Cookie: session=your_session_cookie" \ -H "X-CSRF-Token: your_csrf_token" \ -d "customer_id=hidden_customer_id&name=Test&[email protected]&phone=1234567890"

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade FreeScout to version 1.8.214 or later, where this vulnerability has been fixed by enforcing mailbox-scoped customer visibility and permission checks.

If upgrading immediately is not possible, consider restricting the ability of low-privileged agents to create phone conversations or modifying access controls to prevent unauthorized customer modifications.

Additionally, monitor logs for suspicious phone conversation creation activities involving unexpected customer IDs or alias email additions.

Compliance Impact

The vulnerability allows a low-privileged agent to bypass mailbox-scoped customer visibility controls and modify customer records across mailboxes, including adding alias emails to hidden customers. This unauthorized access and modification of customer data could lead to violations of data protection principles such as confidentiality and integrity.

Such unauthorized data modification and potential exposure of customer information may impact compliance with regulations like GDPR and HIPAA, which require strict access controls and protection of personal data to prevent unauthorized access and alteration.

The vulnerability's integrity impact is rated high, and confidentiality impact is low, indicating that while data exposure is limited, unauthorized changes to customer data could undermine regulatory compliance related to data accuracy and protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart