Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214.
Published: 2026-05-07
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreeScout versions prior to 1.8.214 allow a low‑privileged agent to forge a request to the conversation_change_customer endpoint and bind a conversation to a customer that is not visible in the agent’s mailbox, effectively bypassing mailbox‑level access controls. The flaw is a classic authorization bypass where an attacker can associate data with a different mailbox, enabling unauthorized access to customer information. The CVSS score of 7.1 indicates a medium to high severity risk to confidentiality and integrity of customer data.

Affected Systems

The affected product is FreeScout, the open‑source help‑desk and shared inbox application built on Laravel. The issue exists in all releases prior to version 1.8.214; upgrading to 1.8.214 or newer patches the vulnerability.

Risk and Exploitability

The vulnerability is exploitable via the standard web interface; a malicious agent with low privileges can send a crafted HTTP request containing any customer_email. The EPSS score is unavailable, and the vulnerability is not yet listed in the CISA KEV catalog, suggesting an arbitrary exploitation probability but still significant due to the nature of the control bypass. The CVSS score of 7.1 reflects the potential for unauthorized data access across mailboxes.

Generated by OpenCVE AI on May 7, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.214 or later.
  • If an upgrade is not immediately possible, restrict low‑privileged agent roles so that they cannot invoke the conversation_change_customer endpoint or deny them access to cross‑mailbox operations.
  • Validate the customer_email against the mailbox‑filtered search results in the backend before binding a conversation to ensure it belongs to the agent’s mailbox.

Generated by OpenCVE AI on May 7, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214.
Title FreeScout: Conversation Change-Customer Cross-Mailbox Authorization Bypass
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T18:09:23.374Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41906

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T19:16:01.357

Modified: 2026-05-07T19:51:36.220

Link: CVE-2026-41906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:30:15Z

Weaknesses