FreeScout Attachment Flaw Allows Data Deletion
A critical vulnerability, CVE-2026-41192, has been identified in FreeScout, a popular self-hosted help desk solution. According to the National Vulnerability Database, versions prior to 1.8.215 are susceptible to an attachment deletion flaw with a CVSS score of 7.1 (HIGH).
The issue stems from how FreeScout handles client-supplied encrypted attachment IDs during reply and draft workflows. The National Vulnerability Database explains that any IDs present in attachments_all[] but omitted from retained lists are decrypted and directly passed to Attachment::deleteByIds(). This means a mailbox peer can replay valid, encrypted attachment IDs from a visible conversation via the save_draft function, effectively deleting the original attachment file and its corresponding database entry.
This isn’t just a nuisance; it’s a data integrity nightmare. While the National Vulnerability Database indicates the vulnerability doesn’t directly lead to confidentiality compromise, the ability for an authenticated peer to arbitrarily delete attachments can disrupt operations, obscure evidence, and potentially facilitate further social engineering attacks by removing crucial context. Version 1.8.215 addresses this flaw, tightening the trust boundaries around attachment ID handling.
What This Means For You
- If your organization uses FreeScout, you need to check your version immediately. This isn't theoretical; an authenticated user, even a legitimate one, can weaponize this to delete critical attachments. Update to FreeScout version 1.8.215 or later without delay. Review your audit logs for unusual attachment deletion events if you were running an affected version.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
FreeScout Attachment Deletion via Replayed IDs - CVE-2026-41192
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41192 | Information Disclosure | FreeScout < 1.8.215 |
| CVE-2026-41192 | Information Disclosure | Vulnerable component: attachment handling in reply and draft flows |
| CVE-2026-41192 | Information Disclosure | Vulnerable function: Attachment::deleteByIds() via client-supplied encrypted attachment IDs |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 21, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Daily Security Digest — 2026-04-21
21 vulnerability disclosures (5 Critical, 16 High) and 4 curated intelligence stories from 3 sources.
CVE-2026-6744 — Bagisto Server-Side Request Forgery
CVE-2026-6744 — A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results...
Kyverno Policy Engine Flaw Leaks Service Account Tokens
CVE-2026-40868 — Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer...