Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
Published: 2026-04-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch
AI Analysis

Impact

FreeScout versions before 1.8.212 have a flaw that ignores the limit_user_customer_visibility setting when merging customer records. This causes the merge operation to combine data across mailboxes, allowing a user who merges customers to potentially view or edit information belonging to other mailboxes. The bug represents a misuse of access control (CWE‑639) and results in an unauthorized elevation of privileges.

Affected Systems

Any installation of FreeScout built on PHP’s Laravel framework with a version preceding 1.8.212 is vulnerable. The issue was identified by the maintainers and addressed in the 1.8.212 release.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity level. Although EPSS data is not available, the vulnerability is not yet listed in any known exploited vulnerability catalog, suggesting that it may not yet be widely attacked. An attacker would typically need legitimate access to the merge function, either via the web interface or an API, and would exploit the flaw by selecting customers from different mailboxes to perform a merge. The impact is direct escalation of privileges, potentially exposing sensitive customer information. Mitigation is to apply the vendor‑provided patch or upgrade to a non‑vulnerable version.

Generated by OpenCVE AI on April 7, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.212 or later

Generated by OpenCVE AI on April 7, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
Title FreeScout Customer Merge Cross-Mailbox Authorization Bypass
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:18:45.817Z

Reserved: 2026-04-06T22:06:40.515Z

Link: CVE-2026-39384

cve-icon Vulnrichment

Updated: 2026-04-09T16:11:38.563Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:37.373

Modified: 2026-04-24T18:03:02.470

Link: CVE-2026-39384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:04Z

Weaknesses