Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability.
Published: 2026-04-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability permits non‑folder conversations to reveal messages that are intended to be hidden only for assigned users. This leads to unauthorized disclosure of private chat records, affecting confidentiality of support interactions. The weakness is a misapplied confidentiality restriction attributable to CWE‑200.

Affected Systems

Products impacted are FreeScout, the free self‑hosted help desk and shared mailbox solution, specifically versions prior to 1.8.215. Users deploying versions below this target are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity. Exploitation requires ability to query non‑folder conversation lists, which is typically available to authenticated users. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers can target the global search or AJAX filter paths to retrieve hidden conversations, thereby knowledge that should be restricted. The likely attack vector is inferred from the provided description, as the vulnerability statement specifies global search and AJAX filter paths.

Generated by OpenCVE AI on April 22, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.215 or later to restore the assigned‑only restriction on all query paths.
  • Verify that the assigned‑only restriction is active for global search and AJAX filter endpoints, ensuring hidden conversations are no longer returned.
  • Review and audit user access logs to detect any unauthorized exposure of hidden conversations and remediate improper permissions.

Generated by OpenCVE AI on April 22, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability.
Title FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:37:11.192Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41183

cve-icon Vulnrichment

Updated: 2026-04-21T20:01:03.594Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:57.227

Modified: 2026-04-21T21:16:46.460

Link: CVE-2026-41183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:15:06Z

Weaknesses