FreeScout Vulnerability Lets Unauthorized Users Edit Support Threads

The National Vulnerability Database has disclosed a critical vulnerability, CVE-2026-41189, affecting FreeScout, a popular self-hosted help desk and shared mailbox solution. Prior to version 1.8.215, the system’s ThreadPolicy::edit() function checked for mailbox access but failed to enforce conversation-specific restrictions. This oversight allowed users without proper viewing privileges to load and modify customer-authored threads within conversations they shouldn’t access.

The National Vulnerability Database rates this flaw as HIGH severity with a CVSS score of 7.1, highlighting its potential for significant impact. Attackers with low privileges could exploit this by manipulating support tickets, potentially altering customer requests or internal notes to disrupt operations or facilitate further compromise. This is a direct failure in access control logic, allowing privilege escalation within the application.

Defenders using FreeScout must upgrade immediately to version 1.8.215 or later. Organizations should also review access control policies for their help desk solutions, ensuring that granular permissions are strictly enforced, not just at the mailbox level but also at the conversation or ticket level. This incident underscores the need for rigorous security testing on all authorization functions, especially in multi-tenant or shared resource environments.