Improper Access Control in FreeScout Help Desk Software
CVE-2026-40592

5.9MEDIUM

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40592?

FreeScout, a self-hosted help desk solution, suffers from an improper access control vulnerability. Prior to version 1.8.214, when using the undo-send feature for replies in a shared mailbox, agents could mistakenly recall messages sent by other agents. The system inadequately verifies that the current user is the actual author of the reply, allowing potential unauthorized actions within the 15-second undo window. This issue has been remedied in version 1.8.214 with enhanced verification mechanisms.

Affected Version(s)

freescout < 1.8.214

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/c...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.