Executive Summary

CVE-2026-40592 is a moderate severity vulnerability in FreeScout versions prior to 1.8.214. It affects the undo-send functionality for outbound replies in shared mailboxes. The vulnerability arises because the system only checks if the current user can view the parent conversation but does not verify if the user originally created the reply they are trying to undo.

This means that within the 15-second undo window after sending a reply, one agent sharing the mailbox can recall (undo) another agent's just-sent reply. The flaw is due to missing authorization checks, allowing unauthorized users to modify conversation threads by undoing replies they did not create.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing any agent sharing a mailbox to undo another agent's sent reply within the 15-second undo window. This unauthorized action violates sender ownership expectations and can lead to unauthorized modification of conversation threads.

The integrity of the conversation data is compromised because replies can be reverted to draft state by users who did not originally send them. This can cause confusion, disrupt communication workflows, and potentially lead to loss or alteration of important information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing unauthorized undo actions on replies in a shared mailbox environment. Specifically, one can test if an agent is able to undo another agent's sent reply within the 15-second undo window by issuing a GET request to the endpoint `/conversation/undo-reply/{thread_id}` with a thread ID that was created by a different user.

To reproduce or detect this behavior, you can use curl commands to simulate two different agents sharing the same mailbox:

• Agent 1 logs in and sends a reply to a conversation via an AJAX POST request including parameters such as mailbox_id, conversation_id, and reply body.
• Agent 2 logs in separately and issues a GET request to `/conversation/undo-reply/{thread_id}` where `{thread_id}` is the ID of the reply created by Agent 1.

If the server responds with a redirect (HTTP 302) and the reply's state changes back to draft, it indicates the vulnerability is present because Agent 2 was able to undo Agent 1's reply without proper authorization.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.214 or later, where this vulnerability has been fixed.

The fix involves adding an authorization check in the undo-send functionality to ensure that only the original creator of a reply can undo sending it. This prevents other agents sharing the mailbox from undoing replies they did not create.

If upgrading immediately is not possible, consider restricting access to the undo-send endpoint or limiting shared mailbox usage until the patch can be applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any agent sharing a mailbox to undo another agent's sent reply within a 15-second window without proper authorization checks. This unauthorized modification of conversation threads impacts data integrity.

While the vulnerability does not affect confidentiality, the integrity impact could lead to compliance issues with standards and regulations that require strict access controls and data integrity, such as GDPR and HIPAA.

Specifically, unauthorized modification of communication records may violate requirements for auditability and data accuracy, potentially undermining trust in the system's handling of sensitive or regulated information.

Useful 0 Not Useful 0