CVE-2026-40590 - Vulnerability Details

- FreeScout's Customer AJAX Create Modifies Hidden Existing Customer

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.

Published: 2026-04-21

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

FreeScout's change‑customer modal originally allowed the creation of new customers via a POST endpoint without enforcing unique‑email validation when the customer was marked as hidden. If an attacker supplies an email that is already used by a hidden customer, the create routine reuses the hidden customer object and populates empty profile fields with attacker‑controlled data. This permits arbitrary alteration of a hidden customer’s profile, potentially leaking sensitive information or facilitating impersonation. The weakness is CWE‑639, an authorization bypass that enables manipulation of data belonging to another user.

Affected Systems

Any installation of FreeScout with a version earlier than 1.8.214 is affected. The flaw exists in the freescout‑help‑desk FreeScout application, particularly before the 1.8.214 release.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploit activity. The EPSS score is not available, so the current probability of exploitation is unknown. An attacker would need to send a crafted POST request to the /customers/ajax endpoint, which may be restricted to users with permission to create customers or expose a hidden‑customer table. Thanks to the missing unique‑email check, the flaw can be leveraged to modify hidden customer records without additional privileges beyond the legitimate sender role.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

freescout-help-desk

freescout

affected

Version	Status	Constraints
`< 1.8.214`	affected	—

No data.

Vendor Product Confidence Versions

Freescout Helpdesk

Freescout

98%

Version	Status	Scheme	Platform
`[0,1.8.214)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeScout to version 1.8.214 or later.
Restrict access to the /customers/ajax endpoint and enforce unique‑email validation on all customer creation requests.
Audit existing hidden customers and verify that no sensitive information is unintentionally exposed or altered.

Generated by OpenCVE AI on April 21, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/freescout-help-desk/freescout/commit/b3d7611e6e173ed8a5e525b791deb6b32cf1ce62
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freescout Helpdesk Freescout Helpdesk freescout
Vendors & Products		Freescout Helpdesk Freescout Helpdesk freescout
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.
Title		FreeScout's Customer AJAX Create Modifies Hidden Existing Customer
Weaknesses		CWE-639
References		https://github.com/freescout-help-desk/freescout/commit/b3d7611e6e173ed8a5e525b791deb6b32cf1ce62 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214 https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Freescout Helpdesk Freescout

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T16:52:27.992Z

Updated: 2026-04-21T17:39:21.865Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40590

Vulnrichment

Updated: 2026-04-21T17:39:14.073Z

NVD

Status : Received

Published: 2026-04-21T17:16:56.803

Modified: 2026-04-21T18:16:51.337

Link: CVE-2026-40590

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object