Data Exposure in FreeScout Help Desk Software by FreeScout
CVE-2026-40570

5.7MEDIUM

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40570?

FreeScout, a self-hosted help desk and shared mailbox solution, has a vulnerability in the load_customer_info action of its AJAX endpoint. Prior to version 1.8.213, this issue allowed any authenticated user to access complete customer profile data without appropriate mailbox access verification. An attacker could exploit this flaw with just a valid email address, leading to unauthorized exposure of personal identifiable information (PII). The vulnerability has been addressed in version 1.8.213.

Affected Version(s)

freescout < 1.8.213

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/f...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.