A low‑privileged agent can edit an existing customer record and add an e‑mail address already owned by a hidden customer in another mailbox. The system reveals the hidden customer’s name and profile URL in the success flash, reassigns the email to the visible customer, and rebinds the hidden‑mailbox conversations for that e‑mail to the visible customer. The result is an unauthorized takeover of the customer’s account and potential access to the hidden mailbox’s communications, representing a serious compromise of customer data integrity and confidentiality. This weakness is a classic example of improper access control (CWE‑639).

The flaw affects customers running freescout-help-desk:freescout before version 1.8.214, the latest release that contains the fix.

The CVSS score of 7.6 indicates high severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path involves a low‑privileged agent who has permission to edit customer records; by adding an e‑mail address that belongs to a hidden customer, the agent can trigger the server to reassign the address and expose sensitive information. Because the attacker only needs an existing account with editing privileges, exploitation is considered feasible in an environment where such agents exist. No additional prerequisites beyond normal agent access are required.