CVE-2026-41189
Published: 21 April 2026
Summary
CVE-2026-41189 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-41189 is an authorization vulnerability in FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.215, the `ThreadPolicy::edit()` function authorizes customer-thread editing by checking only mailbox access, without enforcing the assigned-only restriction defined in `ConversationPolicy`. This flaw enables users lacking permission to view a specific conversation to still load and edit customer-authored threads within it. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) and maps to CWE-863 (Incorrect Authorization).
A low-privileged authenticated user (PR:L) with mailbox access but no view permissions on a conversation can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows loading and modifying customer-authored threads inside the restricted conversation, resulting in high integrity impact through unauthorized edits to support tickets or communications, alongside low confidentiality impact and no availability disruption.
Mitigation is addressed in FreeScout version 1.8.215, which fixes the authorization logic as detailed in the project's security advisory (GHSA-4h5p-7f5c-q7gj), release notes, and fixing commit (cdadaf621bb1e1d017315df20d743671f7eae7a9). Organizations should upgrade to version 1.8.215 or later to remediate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24193
Vulnerability details
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not apply the assigned-only restriction from `ConversationPolicy`. A user who cannot view a conversation…
more
can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in web app allows low-priv authenticated users to load and modify restricted conversation threads, directly facilitating unauthorized stored data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for accessing and editing resources, directly addressing the failure of ThreadPolicy::edit() to apply ConversationPolicy restrictions.
Mandates timely identification, reporting, and correction of flaws like the authorization bypass fixed in FreeScout version 1.8.215.
Enforces least privilege to restrict low-privileged users from editing customer threads in conversations they cannot view.