CVE-2026-40589
Published: 21 April 2026
Summary
CVE-2026-40589 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations in the application to prevent low-privileged agents from editing customer records, disclosing hidden customer details, reassigning emails, and rebinding conversations.
Applies least privilege to restrict low-privileged agents from performing unauthorized actions on emails and data belonging to hidden customers in other mailboxes.
Mandates explicit access control decisions for system resources like customer records and emails, addressing the improper authorization logic exploited by low-privileged agents.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in web-based helpdesk app enables low-priv user to access hidden customer data/conversations (T1213 Data from Information Repositories) and reassign emails/rebind conversations (T1565 Data Manipulation).
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the…
more
hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue.
Deeper analysisAI
CVE-2026-40589 is an authorization bypass vulnerability (CWE-639) affecting FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.214, the issue allows a low-privileged agent to edit a visible customer record and add an email address that is already owned by a hidden customer in a different mailbox. This results in the server disclosing the hidden customer's name and profile URL via a success flash message, reassigning the hidden email to the visible customer, and rebinding conversations associated with that email from the hidden mailbox to the visible customer. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
A low-privileged agent user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By editing a customer they can see and appending an email address belonging to a hidden customer in another mailbox, the attacker gains unauthorized access to sensitive information, including the hidden customer's identity and profile details. Successful exploitation enables integrity violations by reassigning the email ownership and redirecting conversation history, potentially allowing the agent to access or manipulate tickets and data from restricted mailboxes.
The FreeScout security advisory (GHSA-mv55-3mgv-fxwr) and release notes for version 1.8.214 confirm that updating to this patch version resolves the issue. The fixing commit (2e2fe37111d92ac665b9ad8806eac94a1a3e502c) addresses the improper authorization logic in customer email handling. Administrators should upgrade to FreeScout 1.8.214 or later to mitigate the vulnerability.
Details
- CWE(s)