Vulnerability Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501
- https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-m
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-m
FAQ
What is CVE-2026-40591?
CVE-2026-40591 is a vulnerability with a CVSS score of 7.1 (HIGH). FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` ...
How severe is CVE-2026-40591?
CVE-2026-40591 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40591?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.