Mass Assignment Vulnerability in FreeScout Help Desk by FreeScout
CVE-2026-40569

9CRITICAL

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40569?

FreeScout, a self-hosted help desk solution, presents a mass assignment vulnerability that allows authenticated admin users to manipulate sensitive fields in the mailbox settings. The functions responsible for saving mailbox connection settings (connectionIncomingSave and connectionOutgoingSave) are vulnerable because they do not enforce proper field allowlisting when passing user inputs to the model's fill method. This flaw enables an attacker, by exploiting hidden parameters, to overwrite crucial fields not displayed in the settings form, such as auto_bcc, out_server, and out_password. Consequently, an admin could redirect outgoing emails, inject malicious content into email signatures, or set deceptive auto-replies, all without the awareness of other administrators. Given the potential for surveillance in multi-admin setups and the risks from session hijacking, it is critical for organizations using FreeScout to update to version 1.8.213 or later to mitigate these vulnerabilities.

Affected Version(s)

freescout < 1.8.213

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/f...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.