CVE-2026-41903 - Vulnerability Details

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass — the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217.

Published: 2026-05-07

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in FreeScout allows a user with the PERM_EDIT_USERS permission to craft a single POST request that changes any other user's notification subscriptions, including those of administrators. This bypass of authorization control can cause admins to miss security alerts and assignment notifications, potentially delaying response to incidents. The weakness is classified as CWE‑863, an Authorization Bypass for User Data. No compromise of executables or data theft results directly, but the impact is a reduction of an admin’s situational awareness.

Affected Systems

The issue affects installations of the FreeScout help‑desk software before version 1.8.217 from the vendor freescout-help-desk. The affected product is the entire FreeScout application, which may be running on a variety of PHP/Laravel environments. The vendor released a patch in the 1.8.217 release, which addresses the bug.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. No EPSS score is available, so the probability of exploitation cannot be quantified from public metrics. The vulnerability is not listed in CISA's KEV catalog, suggesting that no widespread exploitation has been reported yet. Attackers would first need to possess the PERM_EDIT_USERS permission, which should be restricted to trusted users; the attack vector is a crafted HTTP POST request, thus accessible to any authenticated user who has that permission. If a non‑admin account is granted this permission, they can silently disable an admin’s notifications, enabling a stealthy bypass of alerts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

freescout-help-desk

freescout

affected

Version	Status	Constraints
`< 1.8.217`	affected	—

No data.

Vendor Product Confidence Versions

Freescout Helpdesk

Freescout

98%

Version	Status	Scheme	Platform
`[0,1.8.217)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update FreeScout to version 1.8.217 or later to apply the vendor patch
Re‑evaluate account permissions and remove the PERM_EDIT_USERS privilege from non‑admin users
Implement monitoring or alerts for unauthorized changes to notification settings to detect possible exploitation

Generated by OpenCVE AI on May 7, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f489-qxv6-gvgg

History

Thu, 07 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freescout Helpdesk Freescout Helpdesk freescout
Vendors & Products		Freescout Helpdesk Freescout Helpdesk freescout

Thu, 07 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass — the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217.
Title		FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifying any user's notification subscriptions (incomplete fix of CVE-2025-48472)
Weaknesses		CWE-863
References		https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f489-qxv6-gvgg
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Freescout Helpdesk Freescout

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T18:02:01.058Z

Updated: 2026-05-07T18:02:01.058Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41903

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-07T19:16:00.950

Modified: 2026-05-07T19:51:36.220

Link: CVE-2026-41903

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T20:30:15Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object