Executive Summary

CVE-2026-41190 is an authorization bypass vulnerability in FreeScout, a self-hosted help desk application. When the configuration option APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled, the system correctly restricts direct conversation views to only the assignee or creator. However, the AJAX endpoint for saving drafts (`save_draft`) does not enforce these restrictions properly.

This flaw allows an attacker with low privileges to send a crafted POST request to the `save_draft` endpoint and create draft messages inside conversations they are not authorized to view. These drafts are hidden in the user interface but exist in the database, compromising data integrity.

The vulnerability arises from inconsistent authorization checks across different endpoints, specifically the lack of enforcement on the `save_draft` AJAX path.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with low privileges to inject draft messages into conversations they are not permitted to access or view.

Although these drafts are hidden in the user interface, their presence in the database can compromise the integrity of conversation data.

This could lead to confusion, misinformation, or manipulation of conversation threads, potentially affecting the reliability and trustworthiness of your help desk communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the weak authorization on the `save_draft` AJAX POST endpoint. An authenticated user with low privileges can send a crafted POST request to the endpoint with parameters such as `action=save_draft`, `mailbox_id`, `conversation_id` (pointing to a conversation they are not authorized to view), and draft content in the `body` field.

If the server responds with a success status and creates a draft associated with the hidden conversation, it indicates the presence of the vulnerability.

To confirm the injected draft, one can query the PostgreSQL database's `threads` table to check for the presence of the unauthorized draft content.

• Use a command-line tool like curl to send a POST request to the `save_draft` AJAX endpoint with appropriate parameters, for example:
• curl -X POST -d 'action=save_draft&mailbox_id=<mailbox_id>&conversation_id=<hidden_conversation_id>&body=TestDraftContent' https://<freescout-server>/ajax
• Query the PostgreSQL database to verify if the draft was created:
• psql -d <database_name> -c "SELECT * FROM threads WHERE body LIKE '%TestDraftContent%';"

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.215 or later, where this vulnerability has been fixed by enforcing proper permission checks on the `save_draft` AJAX endpoint.

If upgrading immediately is not possible, consider disabling the `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` configuration option temporarily to avoid inconsistent authorization enforcement.

Additionally, review and tighten user permissions, especially for users with low privileges, to limit their ability to access or modify conversations they are not assigned to.

Monitor logs for suspicious POST requests to the `save_draft` endpoint that could indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized users to inject draft messages into conversations they are not permitted to view, which compromises data integrity.

Such unauthorized data manipulation and potential exposure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and data integrity safeguards.

By allowing low-privilege users to alter conversation drafts invisibly, the vulnerability undermines confidentiality and integrity requirements essential for regulatory compliance.

Useful 0 Not Useful 0