Cyber Resilience

CVE-2026-41189

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0003 9.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41189 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41189 is an authorization vulnerability in FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.215, the `ThreadPolicy::edit()` function authorizes customer-thread editing by checking only mailbox access, without enforcing the assigned-only restriction defined in `ConversationPolicy`. This flaw enables users lacking permission to view a specific conversation to still load and edit customer-authored threads within it. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) and maps to CWE-863 (Incorrect Authorization).

A low-privileged authenticated user (PR:L) with mailbox access but no view permissions on a conversation can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows loading and modifying customer-authored threads inside the restricted conversation, resulting in high integrity impact through unauthorized edits to support tickets or communications, alongside low confidentiality impact and no availability disruption.

Mitigation is addressed in FreeScout version 1.8.215, which fixes the authorization logic as detailed in the project's security advisory (GHSA-4h5p-7f5c-q7gj), release notes, and fixing commit (cdadaf621bb1e1d017315df20d743671f7eae7a9). Organizations should upgrade to version 1.8.215 or later to remediate the vulnerability.

EU & UK References

Vulnerability details

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not apply the assigned-only restriction from `ConversationPolicy`. A user who cannot view a conversation…

more

can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Authorization bypass in web app allows low-priv authenticated users to load and modify restricted conversation threads, directly facilitating unauthorized stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41190Shared CWE-863
CVE-2026-33330Shared CWE-863
CVE-2026-25561Shared CWE-863
CVE-2026-35412Shared CWE-863
CVE-2025-24233Shared CWE-863
CVE-2025-21506Shared CWE-863
CVE-2026-42843Shared CWE-863
CVE-2025-21565Shared CWE-863
CVE-2026-28951Shared CWE-863
CVE-2026-44110Shared CWE-863

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for accessing and editing resources, directly addressing the failure of ThreadPolicy::edit() to apply ConversationPolicy restrictions.

prevent

Mandates timely identification, reporting, and correction of flaws like the authorization bypass fixed in FreeScout version 1.8.215.

prevent

Enforces least privilege to restrict low-privileged users from editing customer threads in conversations they cannot view.

References