{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40591", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T14:07:59.641Z", "datePublished": "2026-04-21T16:54:14.113Z", "dateUpdated": "2026-04-21T17:46:38.202Z"}, "containers": {"cna": {"title": "FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.214", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:54:14.113Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability."}], "source": {"advisory": "GHSA-9ff4-mmhv-x6jp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:46:34.226416Z", "id": "CVE-2026-40591", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:46:38.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40591", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:46:34.226416Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:46:26.047Z"}}], "cna": {"title": "FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification", "source": {"advisory": "GHSA-9ff4-mmhv-x6jp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.214"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34", "name": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:54:14.113Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40591", "state": "PUBLISHED", "dateUpdated": "2026-04-21T17:46:38.202Z", "dateReserved": "2026-04-14T14:07:59.641Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:54:14.113Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability."}], "id": "CVE-2026-40591", "lastModified": "2026-04-21T18:16:51.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:56.940", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.214)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-21T22:36:39.683639+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.214 or later.", "Implement or verify that the phone\u2011conversation creation logic validates that the referenced customer belongs to the current mailbox before creating the record.", "Enable logging or auditing for phone\u2011conversation creation requests that reference hidden or cross\u2011mailbox customers to detect potential abuse."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Customer Data Modification"}, "threat_synthesis": {"affected_systems": "The affected product is FreeScout Help Desk (freescout\u2011help\u2011desk). All deployments running any version before 1.8.214 are vulnerable. Version 1.8.214 and later contain a fix that validates customer visibility before creating the conversation.", "description_and_impact": "FreeScout, a self\u2011hosted help\u2011desk platform, allows a low\u2011privileged agent to create a phone conversation with attacker\u2011controlled values for customer_id, name, to_email and phone. Because the backend does not enforce mailbox\u2011scoped customer visibility, the agent can associate the new conversation with a hidden customer that belongs to another mailbox and add an alias email to that hidden customer record. The flaw permits unauthorized modification of customer data across mailbox boundaries, compromising data integrity and potentially exposing sensitive customer information. The weakness is identified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score is 7.1, indicating a high severity vulnerability. Exploitation requires an authenticated user with low privileges within the application, so the attack vector is an authenticated, in\u2011application user, not remote code execution. Because the Exploit Prediction Scoring System data is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, the current likelihood of active exploitation in the wild appears to be moderate. However, the potential for cross\u2011mailbox data tampering warrants prompt remediation."}}}}, "created": "2026-04-21T21:15:45.253165+00:00", "updated": "2026-04-21T22:45:16.054789+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}