Cyber Resilience

CVE-2026-39384

HighPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0005 14.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39384 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Freescout Freescout. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39384 is an authorization bypass vulnerability in FreeScout, a free help desk and shared inbox application built with PHP's Laravel framework. In versions prior to 1.8.212, FreeScout does not properly consider the limit_user_customer_visibility parameter when performing customer merging operations. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By initiating a customer merge operation, the attacker bypasses visibility restrictions, potentially gaining unauthorized access to limited customer data (low confidentiality impact), performing high-impact integrity modifications like altering customer associations, and causing limited availability disruption.

The issue is fixed in FreeScout version 1.8.212. Administrators should upgrade to this release or later to mitigate the vulnerability. Official details are provided in the GitHub security advisory GHSA-j6v9-22vq-53vh and the fixing commit b395a1179117af5e2df704c6bad71feeb301b4ce.

EU & UK References

Vulnerability details

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authorization bypass in a public-facing web application (FreeScout help desk) exploitable remotely over the network by authenticated low-privilege users, directly enabling the Exploit Public-Facing Application technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27637Same product: Freescout Freescout
CVE-2025-54366Same product: Freescout Freescout
CVE-2026-27636Same product: Freescout Freescout
CVE-2025-58163Same product: Freescout Freescout
CVE-2026-28289Same product: Freescout Freescout
CVE-2026-40496Same product: Freescout Freescout
CVE-2026-40498Same product: Freescout Freescout
CVE-2026-32752Same product: Freescout Freescout
CVE-2026-32754Same product: Freescout Freescout
CVE-2026-40497Same product: Freescout Freescout

Affected Assets

freescout
freescout
≤ 1.8.212

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations, directly preventing the bypass of limit_user_customer_visibility during customer merging operations.

prevent

Mandates identification, reporting, and correction of flaws like this authorization bypass, achieved by upgrading to the patched FreeScout version 1.8.212.

prevent

Enforces least privilege to restrict low-privileged users from performing customer merges that bypass visibility limits.

References