Compliance Impact

The vulnerability in FreeScout prior to version 1.8.215 allows unauthorized users to discover conversations assigned exclusively to others through global search and AJAX filter endpoints. This leads to leakage of sensitive information such as conversation identifiers, subjects, customer details, assignee labels, and conversation numbers.

Such unauthorized exposure of sensitive metadata can impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and confidentiality of personal and sensitive information.

By allowing non-assignee agents to see metadata of conversations they should not access, the vulnerability undermines confidentiality requirements and could lead to unauthorized data disclosure, potentially resulting in regulatory non-compliance.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41183 is a vulnerability in FreeScout versions prior to 1.8.215 where the 'assigned-only' restriction on conversations is not properly enforced in all parts of the application.

While direct conversation views and folder queries correctly restrict access to conversations assigned only to the user, non-folder query builders such as global search and AJAX filter endpoints fail to apply this restriction.

This flaw allows users who are not assigned to certain conversations to see metadata and references to those conversations through search results and AJAX filters, even though they cannot directly access the conversation content (which returns an HTTP 403 error).

The exposed information includes conversation identifiers, subjects, customer names, assignee labels, and conversation numbers, leading to an information disclosure issue (CWE-200).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by exposing metadata about conversations that a user should not have access to.

Although the actual conversation content remains protected and inaccessible (HTTP 403), the leakage of conversation identifiers, subjects, customer details, and assignee information can compromise privacy and confidentiality.

Such information disclosure could be exploited by malicious users to gather intelligence about internal communications, customer interactions, or assignment details, potentially leading to further security or privacy risks.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating a network attack vector with low complexity and low privileges required, but no impact on integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to perform global search or AJAX filter queries as a non-assignee user and observing if conversations assigned exclusively to others appear in the search results or filter responses.

Proof-of-concept commands involve logging in as a non-assignee agent and verifying that direct conversation access returns HTTP 403 (forbidden), but the conversation metadata such as subject, customer, assignee label, and conversation number still appear in search results or AJAX filter responses.

• Log in as a non-assignee user.
• Perform a global search query or AJAX filter request for conversations.
• Check if conversations assigned only to other users appear in the results.
• Attempt to directly access those conversations and confirm access is denied with HTTP 403.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.215 or later, where the vulnerability has been fixed.

Version 1.8.215 includes code changes that enforce the 'assigned-only' restriction on all conversation queries, including global search and AJAX filters, preventing unauthorized users from seeing conversations assigned to others.

If upgrading immediately is not possible, restrict access to the global search and AJAX filter endpoints for users without proper permissions as a temporary workaround.

Useful 0 Not Useful 0