Executive Summary

CVE-2026-41906 is an authorization bypass vulnerability in FreeScout Help Desk software versions prior to 1.8.214. The issue arises because the backend action that changes the customer associated with a conversation accepts any supplied customer email without proper validation, even though the frontend correctly hides customers that are out of scope based on mailbox filters.

This means a low-privileged agent can forge a request to rebind a visible conversation to a hidden customer in another mailbox, bypassing intended access restrictions.

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS score of 7.1, indicating high severity with low attack complexity and no user interaction required.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a low-privileged user to access or manipulate data they should not have access to by reassigning conversations to hidden customers in other mailboxes.

As a result, unauthorized users could view or modify sensitive customer information, potentially leading to data leaks or misuse of customer data.

Because the attack requires only low privileges and no user interaction, it poses a significant risk to the confidentiality and integrity of customer data within the FreeScout system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a low-privileged agent forging requests to the backend conversation_change_customer action to bind conversations to hidden customers. Detection would involve monitoring for unusual or unauthorized API requests that attempt to change conversation customer bindings, especially those that include customer_email parameters not visible to the agent.

Specifically, detection could focus on identifying forged requests where the customer_email parameter is used to rebind conversations to customers outside the agent's mailbox scope.

However, no explicit commands or detection tools are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade FreeScout to version 1.8.214 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider restricting low-privileged agents' ability to invoke the conversation_change_customer action or monitor and block suspicious requests attempting to change conversation customer bindings.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a low-privileged agent to bypass authorization controls and access or modify data associated with hidden customers in other mailboxes. Such unauthorized access to another user's data can lead to violations of data privacy and protection requirements mandated by standards like GDPR and HIPAA.

Specifically, the flaw enables an attacker to rebind conversations to customers they should not have visibility into, potentially exposing sensitive personal or health information. This undermines confidentiality and access control principles critical to compliance with these regulations.

Useful 0 Not Useful 0