CVE-2026-39384
Published: 07 April 2026
Summary
CVE-2026-39384 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Freescout Freescout. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations, directly preventing the bypass of limit_user_customer_visibility during customer merging operations.
Mandates identification, reporting, and correction of flaws like this authorization bypass, achieved by upgrading to the patched FreeScout version 1.8.212.
Enforces least privilege to restrict low-privileged users from performing customer merges that bypass visibility limits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing web application (FreeScout help desk) exploitable remotely over the network by authenticated low-privilege users, directly enabling the Exploit Public-Facing Application technique.
NVD Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
Deeper analysisAI
CVE-2026-39384 is an authorization bypass vulnerability in FreeScout, a free help desk and shared inbox application built with PHP's Laravel framework. In versions prior to 1.8.212, FreeScout does not properly consider the limit_user_customer_visibility parameter when performing customer merging operations. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By initiating a customer merge operation, the attacker bypasses visibility restrictions, potentially gaining unauthorized access to limited customer data (low confidentiality impact), performing high-impact integrity modifications like altering customer associations, and causing limited availability disruption.
The issue is fixed in FreeScout version 1.8.212. Administrators should upgrade to this release or later to mitigate the vulnerability. Official details are provided in the GitHub security advisory GHSA-j6v9-22vq-53vh and the fixing commit b395a1179117af5e2df704c6bad71feeb301b4ce.
Details
- CWE(s)