CVE-2026-41906
Privilege Escalation in FreeScout via Customer Binding
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.214 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a low-privileged agent to bypass authorization controls and access or modify data associated with hidden customers in other mailboxes. Such unauthorized access to another user's data can lead to violations of data privacy and protection requirements mandated by standards like GDPR and HIPAA.
Specifically, the flaw enables an attacker to rebind conversations to customers they should not have visibility into, potentially exposing sensitive personal or health information. This undermines confidentiality and access control principles critical to compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-41906 is an authorization bypass vulnerability in FreeScout Help Desk software versions prior to 1.8.214. The issue arises because the backend action that changes the customer associated with a conversation accepts any supplied customer email without proper validation, even though the frontend correctly hides customers that are out of scope based on mailbox filters.
This means a low-privileged agent can forge a request to rebind a visible conversation to a hidden customer in another mailbox, bypassing intended access restrictions.
The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS score of 7.1, indicating high severity with low attack complexity and no user interaction required.
How can this vulnerability impact me? :
This vulnerability allows a low-privileged user to access or manipulate data they should not have access to by reassigning conversations to hidden customers in other mailboxes.
As a result, unauthorized users could view or modify sensitive customer information, potentially leading to data leaks or misuse of customer data.
Because the attack requires only low privileges and no user interaction, it poses a significant risk to the confidentiality and integrity of customer data within the FreeScout system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a low-privileged agent forging requests to the backend conversation_change_customer action to bind conversations to hidden customers. Detection would involve monitoring for unusual or unauthorized API requests that attempt to change conversation customer bindings, especially those that include customer_email parameters not visible to the agent.
Specifically, detection could focus on identifying forged requests where the customer_email parameter is used to rebind conversations to customers outside the agent's mailbox scope.
However, no explicit commands or detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FreeScout to version 1.8.214 or later, where this vulnerability has been patched.
Until the upgrade can be applied, consider restricting low-privileged agents' ability to invoke the conversation_change_customer action or monitor and block suspicious requests attempting to change conversation customer bindings.