Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.
Published: 2026-04-21
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Data Deletion
Action: Apply Patch
AI Analysis

Impact

FreeScout’s reply and draft flows mistakenly trust attachment IDs supplied by the client. When a conversation’s attachment list is sent back to the server in the attachments_all[] field, the IDs that were not retained are decrypted and handed directly to Attachment::deleteByIds(). Because the function removes the database record and the physical file, a malicious user can repeatedly submit forged IDs to permanently delete attachments from a conversation.

Affected Systems

Freescout, a PHP‑based help desk, is affected. Versions older than 1.8.215 are vulnerable, including the entire 1.8 series preceding that release.

Risk and Exploitability

The CVSS score of 7.1 reflects moderate risk. Exploitability is not yet quantified by EPSS, and the flaw is not listed in CISA’s KEV Catalog. An attacker who can send authenticated requests to the save_draft endpoint (i.e., a mailbox peer) can craft a payload that includes previously viewed attachment IDs, causing those files to be deleted. The attack requires no remote code execution or elevated privileges beyond the standard user level that can access the mailbox.

Generated by OpenCVE AI on April 22, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeScout version 1.8.215 or later.
  • Disable any custom scripts or plugins that bypass attachment deletion validation, or revert to default configuration that requires server‑side validation before deletion.
  • Enable logging and monitoring for attachment deletion events and review user activity logs regularly.

Generated by OpenCVE AI on April 22, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.
Title FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:01:14.512Z

Reserved: 2026-04-18T02:51:52.973Z

Link: CVE-2026-41192

cve-icon Vulnrichment

Updated: 2026-04-21T19:01:10.624Z

cve-icon NVD

Status : Received

Published: 2026-04-21T18:16:53.047

Modified: 2026-04-21T18:16:53.047

Link: CVE-2026-41192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:15:06Z

Weaknesses