CVE-2026-41191
Privilege Escalation in FreeScout MailboxesController via Unauthorized POST
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.215 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41191 is a vulnerability in FreeScout versions prior to 1.8.215 where the mailbox permission model is improperly enforced in the MailboxesController::updateSave() function.
Specifically, users who have only the 'signature' (sig) mailbox permission, which should restrict them to modifying only the email signature field, can exploit this flaw to change a hidden mailbox-wide chat setting called 'chat_start_new' by sending direct POST requests.
Although the user interface hides this chat setting from signature-only users, the backend does not filter out this field, allowing unauthorized modification.
This occurs because the 'chat_start_new' parameter is persisted outside the allowed-field filter in the updateSave() method, enabling an agent with limited permissions to escalate privileges and alter mailbox-wide settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with limited mailbox permissions (signature-only) to escalate privileges and modify mailbox-wide settings without proper authorization. This unauthorized modification of mailbox settings could potentially lead to integrity issues within the mailbox data.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized changes to mailbox settings could indirectly impact compliance by undermining data integrity and access controls, which are critical components of these regulations.
However, there is no direct information provided about specific impacts on compliance frameworks or regulatory requirements.
How can this vulnerability impact me? :
This vulnerability allows an agent with only signature editing permissions to escalate their privileges and modify mailbox-wide settings that they should not have access to.
Specifically, they can change the 'chat_start_new' setting, which controls whether a new chat conversation is started when receiving a reply to a closed or deleted chat conversation.
Such unauthorized changes can compromise the integrity of mailbox behavior, potentially disrupting normal operations or causing unexpected mailbox functionality.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 7.1, indicating it is exploitable remotely with low complexity and requires only low privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if users with only the mailbox 'sig' (signature) permission are able to modify the hidden mailbox-wide chat setting `chat_start_new` via direct POST requests, which should not be allowed.
One method to detect exploitation is to monitor POST requests to the MailboxesController::updateSave() endpoint for the presence of the `chat_start_new` parameter submitted by users who only have signature permissions.
Additionally, direct database queries can be used to check if the `chat_start_new` flag has been unexpectedly set or changed in mailbox metadata.
- Example SQL command to check mailbox metadata for unauthorized changes: SELECT * FROM mailbox_meta WHERE meta_key = 'chat_start_new' AND meta_value = 1;
- Example to verify user permissions in the mailbox_user table: SELECT * FROM mailbox_user WHERE permissions LIKE '%sig%';
- Monitor web server logs or use tools like Wireshark to capture POST requests containing `chat_start_new` parameters from users with limited permissions.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade FreeScout to version 1.8.215 or later, where the vulnerability is fixed by enforcing proper permission checks before allowing updates to the `chat_start_new` mailbox setting.
If upgrading immediately is not possible, restrict or audit users who have only the 'sig' mailbox permission to prevent unauthorized modification attempts.
Review and monitor mailbox settings changes, especially those related to `chat_start_new`, to detect and respond to unauthorized modifications.
Apply additional access control policies and logging to ensure that only users with appropriate permissions can update mailbox-wide settings.