Exposed Email Validation in FreeScout Help Desk Software
CVE-2026-40590

4.3MEDIUM

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40590?

FreeScout, a self-hosted help desk software, contains a vulnerability in its Change Customer modal prior to version 1.8.214. The flaw allows attackers to exploit the 'Create a new customer' process via a POST request, leading to email validation issues. This occurs when the unique-email validation is bypassed for hidden customers. If an attacker inputs an email already associated with a hidden customer, the system may allow the reuse of that customer's object, allowing the attacker to manipulate empty profile fields with their own input. Version 1.8.214 addresses this issue, enhancing security measures to prevent unauthorized access and ensure the integrity of customer data.

Affected Version(s)

freescout < 1.8.214

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/b...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.