CVE-2026-40592 - Vulnerability Details

- FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability.

Published: 2026-04-21

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

FreeScout allows a user to send a GET request to the undo‑send endpoint for a conversation thread and, if the request is made within 15 seconds of sending a reply, the server will delete that reply. The access control check only verifies that the requester can view the parent conversation, not that the requester actually created the reply. This flaw, identified as CWE‑862, enables an agent in the same shared mailbox to recover another agent’s outbound message, thereby compromising message integrity and availability.

Affected Systems

The vulnerability exists in FreeScout help‑desk versions prior to 1.8.214. All releases that include the shared mailbox feature and allow undo‑send operations are affected until the patch is applied. Update to FreeScout 1.8.214 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The exploit is limited to agents who can view a conversation and must act within the 15‑second window, reducing the likelihood of successful attacks. No proof‑of‑concept exists in public advisories, and the vulnerability is not listed in the CISA KEV catalog. While the EPSS score is not available, the attack requires privileged access to the same mailbox, making exploitation less probable in environments with strict role segregation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

freescout-help-desk

freescout

affected

Version	Status	Constraints
`< 1.8.214`	affected	—

No data.

Vendor Product Confidence Versions

Freescout Helpdesk

Freescout

98%

Version	Status	Scheme	Platform
`[0,1.8.214)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeScout to version 1.8.214 or later
Configure role‑based permissions so that undo‑recall functionality is available only to the message originator
Implement access controls or a web‑application firewall rule to block the undo‑reply endpoint for users who are not the message author

Generated by OpenCVE AI on April 21, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freescout Helpdesk Freescout Helpdesk freescout
Vendors & Products		Freescout Helpdesk Freescout Helpdesk freescout
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability.
Title		FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply
Weaknesses		CWE-862
References		https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214 https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

Freescout Helpdesk Freescout

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T16:57:33.146Z

Updated: 2026-04-21T19:10:40.989Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40592

Vulnrichment

Updated: 2026-04-21T19:10:36.577Z

NVD

Status : Received

Published: 2026-04-21T17:16:57.087

Modified: 2026-04-21T17:16:57.087

Link: CVE-2026-40592

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object