CVE-2026-41183
Information Disclosure in FreeScout Due to Incomplete Access Restrictions
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | 1.8.215 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41183 is a vulnerability in FreeScout versions prior to 1.8.215 where the 'assigned-only' restriction on conversations is not properly enforced in all parts of the application.
While direct conversation views and folder queries correctly restrict access to conversations assigned only to the user, non-folder query builders such as global search and AJAX filter endpoints fail to apply this restriction.
This flaw allows users who are not assigned to certain conversations to see metadata and references to those conversations through search results and AJAX filters, even though they cannot directly access the conversation content (which returns an HTTP 403 error).
The exposed information includes conversation identifiers, subjects, customer names, assignee labels, and conversation numbers, leading to an information disclosure issue (CWE-200).
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information by exposing metadata about conversations that a user should not have access to.
Although the actual conversation content remains protected and inaccessible (HTTP 403), the leakage of conversation identifiers, subjects, customer details, and assignee information can compromise privacy and confidentiality.
Such information disclosure could be exploited by malicious users to gather intelligence about internal communications, customer interactions, or assignment details, potentially leading to further security or privacy risks.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating a network attack vector with low complexity and low privileges required, but no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to perform global search or AJAX filter queries as a non-assignee user and observing if conversations assigned exclusively to others appear in the search results or filter responses.
Proof-of-concept commands involve logging in as a non-assignee agent and verifying that direct conversation access returns HTTP 403 (forbidden), but the conversation metadata such as subject, customer, assignee label, and conversation number still appear in search results or AJAX filter responses.
- Log in as a non-assignee user.
- Perform a global search query or AJAX filter request for conversations.
- Check if conversations assigned only to other users appear in the results.
- Attempt to directly access those conversations and confirm access is denied with HTTP 403.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.215 or later, where the vulnerability has been fixed.
Version 1.8.215 includes code changes that enforce the 'assigned-only' restriction on all conversation queries, including global search and AJAX filters, preventing unauthorized users from seeing conversations assigned to others.
If upgrading immediately is not possible, restrict access to the global search and AJAX filter endpoints for users without proper permissions as a temporary workaround.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FreeScout prior to version 1.8.215 allows unauthorized users to discover conversations assigned exclusively to others through global search and AJAX filter endpoints. This leads to leakage of sensitive information such as conversation identifiers, subjects, customer details, assignee labels, and conversation numbers.
Such unauthorized exposure of sensitive metadata can impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and confidentiality of personal and sensitive information.
By allowing non-assignee agents to see metadata of conversations they should not access, the vulnerability undermines confidentiality requirements and could lead to unauthorized data disclosure, potentially resulting in regulatory non-compliance.