FreeScout Vulnerability Allows Low-Privilege Agents to Expose Hidden Customer Data

The National Vulnerability Database has detailed a critical vulnerability (CVE-2026-40591) in FreeScout, a popular self-hosted help desk solution. Versions prior to 1.8.214 suffer from an improper access control flaw. Specifically, a low-privileged agent creating a phone conversation can bypass mailbox-scoped customer visibility rules. This allows them to associate a conversation from one mailbox with a hidden customer record in another mailbox and even add a new email alias to that customer’s profile.

The implications for organizations using FreeScout are significant. Attackers with even minimal access to the help desk system can pivot to access sensitive customer information across different mailboxes. This isn’t just about data leakage; it’s about the potential for unauthorized data modification and the unraveling of customer privacy controls within the help desk environment. The CVSS score of 7.1 (HIGH) underscores the severity of this exposure.

Defenders must prioritize upgrading FreeScout instances to version 1.8.214 or later immediately. Organizations should also audit their FreeScout configurations and logs for any suspicious activity related to customer record manipulation or unauthorized access. Understanding how customer data is segmented and protected within your help desk is paramount, especially when dealing with self-hosted solutions where direct oversight is crucial.