CVE-2026-41903
Deferred Deferred - Pending Action
Notification Subscription Bypass in FreeScout

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass β€” the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41903
EUVD
EUVD-2026-28406
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.217 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41903 is an Insecure Direct Object Reference (IDOR) vulnerability in FreeScout, a help desk software. It affects versions before 1.8.217 and arises because users with the PERM_EDIT_USERS permission, which is intended only for general user profile editing, can also read and modify the notification subscriptions of any other user, including administrators.

This happens due to improper access control in the notificationsSave method, which reuses an update policy meant for profile editing but incorrectly applies it to notification subscriptions. As a result, a non-admin user with this permission can send a single POST request to silently disable an administrator's email, browser, or mobile notifications.

This vulnerability is related to a previous issue (CVE-2025-48472) but affects a different code path that was not fixed earlier. The issue has been patched in version 1.8.217.

Impact Analysis

This vulnerability can impact you by allowing a non-admin attacker with the PERM_EDIT_USERS permission to silently disable an administrator's notifications, including security alerts and conversation-assignment notices.

As a result, administrators may lose awareness of critical security events or operational issues, leading to potential operational disruption and weakening of defense-in-depth security measures.

However, the vulnerability has a limited blast radius since it only affects notification preferences and does not expose more sensitive data such as passwords or user roles.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests targeting the notification subscription update functionality in FreeScout, specifically those made by users holding the PERM_EDIT_USERS permission.

Since the vulnerability involves sending a single POST request to modify notification subscriptions of other users, network or application logs should be inspected for unusual POST requests to the UsersController.php notificationsSave method or equivalent API endpoints.

Commands to detect such activity might include searching web server logs or application logs for POST requests that modify notification settings for users other than the requester.

  • Example command to search Apache logs for suspicious POST requests (adjust path and parameters accordingly):
  • grep 'POST' /var/log/apache2/access.log | grep 'notificationsSave'
  • Or using application logs to identify changes to notification subscriptions by non-admin users for other users.
Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.217 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict the PERM_EDIT_USERS permission to trusted users only, as this permission allows modification of other users' notification subscriptions.

Additionally, monitor and audit any changes to notification settings, especially those made by non-admin users, to detect potential exploitation attempts.

Long-term, the software should enforce stricter access controls in the notificationsSave method to ensure only administrators or the user themselves can modify notification settings.

Compliance Impact

This vulnerability allows a user with the PERM_EDIT_USERS permission to silently disable an administrator's notifications, including security alerts. This suppression of security alerts can lead to operational disruption and a degradation of defense-in-depth measures, potentially increasing the risk of unnoticed security incidents.

While the vulnerability does not expose sensitive personal data directly, the ability to disable critical notifications could indirectly impact compliance with standards like GDPR and HIPAA, which require timely detection and response to security events to protect personal and sensitive information.

Therefore, this vulnerability may weaken an organization's ability to maintain required security controls and incident response capabilities mandated by such regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart