FreeScout CVE-2026-41906: Agent Can Expose Hidden Customer Data

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
FreeScout CVE-2026-41906: Agent Can Expose Hidden Customer Data

The National Vulnerability Database has disclosed CVE-2026-41906, a high-severity vulnerability (CVSS 7.1) affecting FreeScout, a PHP-based help desk and shared inbox solution. Prior to version 1.8.214, a low-privileged agent could exploit a logical flaw to bind a visible conversation to a customer hidden in another mailbox. This is a critical bypass of access controls.

The vulnerability stems from an incomplete access control enforcement. While the frontend correctly filters out-of-scope customers in searches, the backend conversation_change_customer action fails to validate the supplied customer_email against the agent’s permissions. This allows an attacker to forge a request and link a conversation they can see to a customer they should not be able to access, potentially exposing sensitive customer information to unauthorized personnel.

This issue, categorized as CWE-639 (Notion of Authority), underscores the importance of consistent security checks across both client-side and server-side logic. Defenders running FreeScout must prioritize updating to version 1.8.214 or later. Failing to do so leaves customer data vulnerable to internal actors who might not even realize the full extent of their access, or worse, malicious insiders seeking to exfiltrate information.

What This Means For You

  • If your organization uses FreeScout, you need to verify your version immediately. This isn't theoretical; a low-privileged agent, someone already inside your network, can link conversations to customers they shouldn't see. Patch to version 1.8.214 or higher right now and audit agent activity for any unusual customer association changes.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1529 System Shutdown/Reboot Impact

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

FreeScout CVE-2026-41906: Unauthorized Customer Data Binding

Sigma YAML — free preview 
title: FreeScout CVE-2026-41906: Unauthorized Customer Data Binding
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit FreeScout CVE-2026-41906 by identifying requests to the 'conversation_change_customer' endpoint. An attacker with low privileges can abuse this endpoint to bind visible conversations to hidden customers in other mailboxes, exposing sensitive customer data. This detection focuses on the specific backend action targeted by the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41906/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/conversation_change_customer'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41906 Auth Bypass FreeScout < 1.8.214
CVE-2026-41906 Auth Bypass FreeScout vulnerable component: conversation_change_customer action
CVE-2026-41906 Auth Bypass FreeScout vulnerable endpoint: mailbox-filtered search endpoint

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma