CVE-2026-40591
Published: 21 April 2026
Summary
CVE-2026-40591 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-5 (Separation of Duties).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the failure to check mailbox-scoped visibility during customer resolution in phone-conversation creation.
AC-6 least privilege limits low-privileged agents to operations within their own mailbox, mitigating unauthorized access to hidden customers in other mailboxes.
AC-5 separation of duties ensures distinct roles for different mailboxes, preventing a single agent from binding conversations across mailbox boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass enables unauthorized access to customer data across mailbox boundaries (T1213 Data from Information Repositories) and modification of stored customer records via added email aliases (T1565.001 Stored Data Manipulation).
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As…
more
a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability.
Deeper analysisAI
CVE-2026-40591 is an authorization bypass vulnerability (CWE-639) in FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.214, the phone-conversation creation flow accepts attacker-controlled parameters including `customer_id`, `name`, `to_email`, and `phone`. The backend resolves the target customer without enforcing mailbox-scoped customer visibility, allowing unauthorized access and modification across mailbox boundaries.
A low-privileged agent with permission to create phone conversations in one mailbox (Mailbox A) can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a `customer_id` from a different mailbox (Mailbox B), the attacker can bind the new Mailbox A phone conversation to a hidden customer record in Mailbox B. Additionally, providing a `to_email` value enables the attacker to add a new alias email to that hidden customer record, resulting in limited confidentiality impact but high integrity impact (CVSS 7.1).
The FreeScout security advisory (GHSA-9ff4-mmhv-x6jp) and release notes for version 1.8.214 detail the fix, which enforces proper mailbox-scoped visibility checks during customer resolution in the phone-conversation creation flow. Users should upgrade to FreeScout 1.8.214 or later, as referenced in the specific commit (83eea1ca47d97c6cdc90c501734bc2579b014a34) that addresses the issue.
Details
- CWE(s)