CVE-2026-41192
Insecure Attachment ID Handling in FreeScout Allows Unauthorized Deletion
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.215 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41192 is a high-severity vulnerability in FreeScout versions prior to 1.8.215 involving the handling of encrypted attachment IDs in reply and draft flows.
The vulnerability occurs because the application trusts client-supplied encrypted attachment IDs without proper validation. Specifically, any IDs included in the attachments_all[] parameter but omitted from the retained attachments[] list are decrypted and passed directly to the Attachment::deleteByIds() function.
This allows a mailbox peer who can view a conversation to replay encrypted attachment IDs obtained from visible attachments and delete the original attachment record and its associated file on the server by sending a crafted save_draft request.
In summary, an attacker with read access to a mailbox conversation can maliciously delete attachments from that conversation without having delete permissions or ownership.
How can this vulnerability impact me? :
This vulnerability allows any mailbox peer with read access to a conversation to delete attachments from existing threads without ownership verification or delete-specific permissions.
The impact is a high loss of data integrity, as attachments can be maliciously removed by unauthorized users.
While confidentiality is not affected, the unauthorized deletion of attachments can disrupt communication and cause loss of important files.
The attack complexity is low, requires only low privileges, and no user interaction, making it relatively easy for an attacker with mailbox access to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual deletion of attachments in FreeScout conversations, especially when attachments are deleted without proper ownership or permission checks.
A practical detection method involves checking database records and HTTP responses related to attachments:
- Query the database to verify if attachment records have been unexpectedly deleted from conversation threads.
- Use HTTP requests to attachment URLs to check if they return 404 Not Found, indicating the attachment file has been removed.
Specifically, you can run SQL queries to check for missing attachments in conversation threads and monitor logs for save_draft requests that include the attachments_all[] parameter but omit the attachments[] parameter, which is the attack vector.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade FreeScout to version 1.8.215 or later, where this vulnerability has been fixed.
The fix includes validation of attachment IDs before deletion to ensure only attachments belonging to the current conversation thread can be deleted, preventing unauthorized deletion.
- Upgrade FreeScout to version 1.8.215 or newer.
- Review and apply the security patch that sanitizes attachment deletion requests by validating attachment ownership against the current thread.
Until the upgrade is applied, restrict mailbox peer permissions to limit who can access and modify attachments, and monitor for suspicious save_draft requests that could exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized deletion of attachments by mailbox peers who have read access to a conversation, resulting in high integrity loss of data.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized deletion of attachments could potentially violate data integrity and retention requirements mandated by such regulations.
Specifically, regulations like GDPR and HIPAA require organizations to ensure the integrity and availability of personal and sensitive data. This vulnerability undermines those principles by allowing malicious deletion of attachments without proper authorization or ownership verification.