Access Control Flaw in FreeScout Help Desk Software by FreeScout
CVE-2026-41906

7.1HIGH

Key Information:

Vendor: Freescout-help-desk
Status: Freescout
Vendor: CVE Published:; 7 May 2026

🔔 Create Freescout-help-desk Vulnerability Alert

What is CVE-2026-41906?

FreeScout, a help desk and shared inbox solution developed using PHP's Laravel framework, contains a significant access control vulnerability. Before version 1.8.214, the application improperly manages user permissions for customer visibility within the Change Customer modal. Specifically, while the mailbox-filtered search endpoint successfully hides out-of-scope customers, the backend conversation_change_customer action fails to validate the customer_email parameter properly. This flaw enables low-privileged agents to exploit the system, potentially binding conversations to hidden customers in different mailboxes that should remain inaccessible. The issue was addressed in version 1.8.214, and users are urged to upgrade to ensure security.

Affected Version(s)

freescout < 1.8.214

References

https://github.com/freescout-help-desk/freescout/security...

x_refsource_CONFIRM

https://github.com/freescout-help-desk/freescout/releases...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41906 Data

JSON