Access Control Weakness in FreeScout Help Desk
CVE-2026-41190

7.1HIGH

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-41190?

The FreeScout help desk application presents an access control weakness when the setting 'APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS' is enabled. Users who are neither the assignee nor creator of a conversation can still exploit this flaw using the 'save_draft' AJAX path, allowing them to create drafts within conversations that are otherwise hidden from their view. The issue was resolved in version 1.8.215, which mitigates the improper access and enhances overall security.

Affected Version(s)

freescout < 1.8.215

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/4...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.