Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.
Published: 2026-04-21
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized PII Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is due to a missing authorization check in the load_customer_info action of the /conversation/ajax endpoint. An authenticated user can supply any email address and retrieve the full customer profile, exposing personal identifying information. The weakness, categorized as CWE‑639 and CWE‑862, compromises confidentiality of customer data and can lead to privacy breaches or regulatory non‑compliance.

Affected Systems

The flaw affects installations of FreeScout Help Desk version 1.8.212 and earlier. Users deploying the open‑source software before the 1.8.213 release are susceptible. The vendor's advisory lists the problem and specifies that upgrade to 1.8.213 or later resolves the issue.

Risk and Exploitability

The CVSS base score of 5.7 indicates a moderate impact. The EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that it is not actively exploited. Exploitation requires only an authenticated session, typically a normal user account, and knowledge of the target email address. An attacker could craft a POST request bearing the load_customer_info action and observe the returned PII, therefore the primary risk is confidential data compromise. Since no remote code execution or denial of service is implied, the immediate threat is data confidentiality loss.

Generated by OpenCVE AI on April 21, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeScout version 1.8.213 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, limit access to the /conversation/ajax endpoint so that only privileged users with appropriate mailbox permissions can invoke load_customer_info.
  • Enable logging and monitoring for requests to customer data endpoints to detect unauthorized access attempts.
  • Review and restrict user accounts that have mailbox access flags to prevent accidental exposure of customer PII.

Generated by OpenCVE AI on April 21, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.
Title FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII
Weaknesses CWE-639
CWE-862
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:11:51.385Z

Reserved: 2026-04-14T13:24:29.474Z

Link: CVE-2026-40570

cve-icon Vulnrichment

Updated: 2026-04-21T19:11:48.223Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:55.593

Modified: 2026-04-22T21:10:14.290

Link: CVE-2026-40570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses