Improper Access Control in FreeScout Help Desk Platform
CVE-2026-40591

7.1HIGH

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40591?

FreeScout, a self-hosted help desk solution, experienced a vulnerability where low-privileged agents could manipulate the phone-conversation creation flow. Prior to version 1.8.214, the system allowed agents to submit attacker-controlled inputs, such as 'customer_id', 'name', 'to_email', and 'phone'. This lack of proper visibility enforcement granted unauthorized access to customer details across different mailboxes, enabling agents to bind phone conversations to hidden customer records and add email aliases. Version 1.8.214 has addressed this vulnerability, enhancing security measures.

Affected Version(s)

freescout < 1.8.214

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/8...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.