CVE-2026-41903
Notification Subscription Bypass in FreeScout
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.217 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41903 is an Insecure Direct Object Reference (IDOR) vulnerability in FreeScout, a help desk software. It affects versions before 1.8.217 and arises because users with the PERM_EDIT_USERS permission, which is intended only for general user profile editing, can also read and modify the notification subscriptions of any other user, including administrators.
This happens due to improper access control in the notificationsSave method, which reuses an update policy meant for profile editing but incorrectly applies it to notification subscriptions. As a result, a non-admin user with this permission can send a single POST request to silently disable an administrator's email, browser, or mobile notifications.
This vulnerability is related to a previous issue (CVE-2025-48472) but affects a different code path that was not fixed earlier. The issue has been patched in version 1.8.217.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a non-admin attacker with the PERM_EDIT_USERS permission to silently disable an administrator's notifications, including security alerts and conversation-assignment notices.
As a result, administrators may lose awareness of critical security events or operational issues, leading to potential operational disruption and weakening of defense-in-depth security measures.
However, the vulnerability has a limited blast radius since it only affects notification preferences and does not expose more sensitive data such as passwords or user roles.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests targeting the notification subscription update functionality in FreeScout, specifically those made by users holding the PERM_EDIT_USERS permission.
Since the vulnerability involves sending a single POST request to modify notification subscriptions of other users, network or application logs should be inspected for unusual POST requests to the UsersController.php notificationsSave method or equivalent API endpoints.
Commands to detect such activity might include searching web server logs or application logs for POST requests that modify notification settings for users other than the requester.
- Example command to search Apache logs for suspicious POST requests (adjust path and parameters accordingly):
- grep 'POST' /var/log/apache2/access.log | grep 'notificationsSave'
- Or using application logs to identify changes to notification subscriptions by non-admin users for other users.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.217 or later, where this vulnerability has been patched.
Until the upgrade can be applied, restrict the PERM_EDIT_USERS permission to trusted users only, as this permission allows modification of other users' notification subscriptions.
Additionally, monitor and audit any changes to notification settings, especially those made by non-admin users, to detect potential exploitation attempts.
Long-term, the software should enforce stricter access controls in the notificationsSave method to ensure only administrators or the user themselves can modify notification settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a user with the PERM_EDIT_USERS permission to silently disable an administrator's notifications, including security alerts. This suppression of security alerts can lead to operational disruption and a degradation of defense-in-depth measures, potentially increasing the risk of unnoticed security incidents.
While the vulnerability does not expose sensitive personal data directly, the ability to disable critical notifications could indirectly impact compliance with standards like GDPR and HIPAA, which require timely detection and response to security events to protect personal and sensitive information.
Therefore, this vulnerability may weaken an organization's ability to maintain required security controls and incident response capabilities mandated by such regulations.