Unauthorized Editing in FreeScout Help Desk Software
CVE-2026-41189

7.1HIGH

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-41189?

FreeScout, a self-hosted help desk solution, has an authorization bypass issue that allows users to edit customer-authored threads without proper permissions. Prior to version 1.8.215, the system checks mailbox access but fails to enforce the necessary restrictions, permitting users to interact with conversations they should not be able to view. This vulnerability could allow unauthorized modifications to sensitive information, making it crucial for users to upgrade to the fixed version to maintain their system's integrity.

Affected Version(s)

freescout < 1.8.215

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/c...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.