Executive Summary

CVE-2026-41192 is a high-severity vulnerability in FreeScout versions prior to 1.8.215 involving the handling of encrypted attachment IDs in reply and draft flows.

The vulnerability occurs because the application trusts client-supplied encrypted attachment IDs without proper validation. Specifically, any IDs included in the attachments_all[] parameter but omitted from the retained attachments[] list are decrypted and passed directly to the Attachment::deleteByIds() function.

This allows a mailbox peer who can view a conversation to replay encrypted attachment IDs obtained from visible attachments and delete the original attachment record and its associated file on the server by sending a crafted save_draft request.

In summary, an attacker with read access to a mailbox conversation can maliciously delete attachments from that conversation without having delete permissions or ownership.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any mailbox peer with read access to a conversation to delete attachments from existing threads without ownership verification or delete-specific permissions.

The impact is a high loss of data integrity, as attachments can be maliciously removed by unauthorized users.

While confidentiality is not affected, the unauthorized deletion of attachments can disrupt communication and cause loss of important files.

The attack complexity is low, requires only low privileges, and no user interaction, making it relatively easy for an attacker with mailbox access to exploit.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual deletion of attachments in FreeScout conversations, especially when attachments are deleted without proper ownership or permission checks.

A practical detection method involves checking database records and HTTP responses related to attachments:

• Query the database to verify if attachment records have been unexpectedly deleted from conversation threads.
• Use HTTP requests to attachment URLs to check if they return 404 Not Found, indicating the attachment file has been removed.

Specifically, you can run SQL queries to check for missing attachments in conversation threads and monitor logs for save_draft requests that include the attachments_all[] parameter but omit the attachments[] parameter, which is the attack vector.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade FreeScout to version 1.8.215 or later, where this vulnerability has been fixed.

The fix includes validation of attachment IDs before deletion to ensure only attachments belonging to the current conversation thread can be deleted, preventing unauthorized deletion.

• Upgrade FreeScout to version 1.8.215 or newer.
• Review and apply the security patch that sanitizes attachment deletion requests by validating attachment ownership against the current thread.

Until the upgrade is applied, restrict mailbox peer permissions to limit who can access and modify attachments, and monitor for suspicious save_draft requests that could exploit this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized deletion of attachments by mailbox peers who have read access to a conversation, resulting in high integrity loss of data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized deletion of attachments could potentially violate data integrity and retention requirements mandated by such regulations.

Specifically, regulations like GDPR and HIPAA require organizations to ensure the integrity and availability of personal and sensitive data. This vulnerability undermines those principles by allowing malicious deletion of attachments without proper authorization or ownership verification.

Useful 0 Not Useful 0