Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Change – mailbox chat settings
Action: Apply Patch
AI Analysis

Impact

FreeScout’s MailboxesController::updateSave() fails to filter the chat_start_new field from the allowed fields list. A user who has been granted only the mailbox signature permission can still submit a POST request to change chat_start_new, thereby altering anonymous or member‑initiated chat behaviors for the mailbox. This privilege escalation enables an attacker to change operational parameters of a shared mailbox without proper authorization, potentially disrupting customer support or altering privacy settings.

Affected Systems

The vulnerability exists in all FreeScout help‑desk releases prior to 1.8.215, including 1.8.214 and earlier. The vendor, freescout-help-desk, released version 1.8.215 as a fix that removes the chat_start_new field from the allowed‑field filter for users with only the sig permission. Users running older FreeScout versions are therefore affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity due to the privilege escalation component and the ease of exploitation via a crafted POST request. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, implying no known active exploitation but still significant risk. Attackers can execute the exploit using any valid FreeScout user that has at least the mailbox signature permission, which is a relatively common role. The lack of additional access control makes the vulnerability straightforward for an authenticated user to leverage.

Generated by OpenCVE AI on April 21, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeScout 1.8.215 or later to eliminate the chat_start_new field from the allowed set for signature‑only users.
  • Revise mailbox permission assignments to remove the sig role from users who should not manage mailbox settings, ensuring that only administrators have rights to modify chat_start_new.
  • If an immediate upgrade is not possible, implement an application‑level guard or network rule to block unauthenticated or unauthorized POST requests to the MailboxesController::updateSave endpoint.

Generated by OpenCVE AI on April 21, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.
Title FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:07:38.705Z

Reserved: 2026-04-18T02:51:52.973Z

Link: CVE-2026-41191

cve-icon Vulnrichment

Updated: 2026-04-21T19:07:35.370Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:57.653

Modified: 2026-04-21T17:16:57.653

Link: CVE-2026-41191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses