CVE-2026-41191
Received Received - Intake
Privilege Escalation in FreeScout MailboxesController via Unauthorized POST

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41191
EUVD
EUVD-2026-24197
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.215 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41191 is a vulnerability in FreeScout versions prior to 1.8.215 where the mailbox permission model is improperly enforced in the MailboxesController::updateSave() function.

Specifically, users who have only the 'signature' (sig) mailbox permission, which should restrict them to modifying only the email signature field, can exploit this flaw to change a hidden mailbox-wide chat setting called 'chat_start_new' by sending direct POST requests.

Although the user interface hides this chat setting from signature-only users, the backend does not filter out this field, allowing unauthorized modification.

This occurs because the 'chat_start_new' parameter is persisted outside the allowed-field filter in the updateSave() method, enabling an agent with limited permissions to escalate privileges and alter mailbox-wide settings.

Impact Analysis

This vulnerability allows an agent with only signature editing permissions to escalate their privileges and modify mailbox-wide settings that they should not have access to.

Specifically, they can change the 'chat_start_new' setting, which controls whether a new chat conversation is started when receiving a reply to a closed or deleted chat conversation.

Such unauthorized changes can compromise the integrity of mailbox behavior, potentially disrupting normal operations or causing unexpected mailbox functionality.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 7.1, indicating it is exploitable remotely with low complexity and requires only low privileges.

Detection Guidance

This vulnerability can be detected by verifying if users with only the mailbox 'sig' (signature) permission are able to modify the hidden mailbox-wide chat setting `chat_start_new` via direct POST requests, which should not be allowed.

One method to detect exploitation is to monitor POST requests to the MailboxesController::updateSave() endpoint for the presence of the `chat_start_new` parameter submitted by users who only have signature permissions.

Additionally, direct database queries can be used to check if the `chat_start_new` flag has been unexpectedly set or changed in mailbox metadata.

  • Example SQL command to check mailbox metadata for unauthorized changes: SELECT * FROM mailbox_meta WHERE meta_key = 'chat_start_new' AND meta_value = 1;
  • Example to verify user permissions in the mailbox_user table: SELECT * FROM mailbox_user WHERE permissions LIKE '%sig%';
  • Monitor web server logs or use tools like Wireshark to capture POST requests containing `chat_start_new` parameters from users with limited permissions.
Mitigation Strategies

The immediate and recommended mitigation step is to upgrade FreeScout to version 1.8.215 or later, where the vulnerability is fixed by enforcing proper permission checks before allowing updates to the `chat_start_new` mailbox setting.

If upgrading immediately is not possible, restrict or audit users who have only the 'sig' mailbox permission to prevent unauthorized modification attempts.

Review and monitor mailbox settings changes, especially those related to `chat_start_new`, to detect and respond to unauthorized modifications.

Apply additional access control policies and logging to ensure that only users with appropriate permissions can update mailbox-wide settings.

Compliance Impact

The vulnerability allows users with limited mailbox permissions (signature-only) to escalate privileges and modify mailbox-wide settings without proper authorization. This unauthorized modification of mailbox settings could potentially lead to integrity issues within the mailbox data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized changes to mailbox settings could indirectly impact compliance by undermining data integrity and access controls, which are critical components of these regulations.

However, there is no direct information provided about specific impacts on compliance frameworks or regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart