CVE-2026-41190
Published: 21 April 2026
Summary
CVE-2026-41190 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces consistent authorization checks across all application endpoints, including the save_draft AJAX path, preventing unauthorized low-privilege users from accessing hidden conversations.
Requires timely identification, reporting, and patching of authorization flaws like the inconsistent enforcement in FreeScout's save_draft endpoint prior to version 1.8.215.
Limits low-privilege users to only necessary access, reducing the impact of authorization bypasses in features like draft creation in assigned conversations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in network-accessible web app directly enables T1190 (Exploit Public-Facing Application) via crafted POST to save_draft endpoint. Allows unauthorized stored data modification (draft creation) in restricted conversations, mapping to T1565.001.
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The `save_draft` AJAX path is weaker. A direct…
more
POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability.
Deeper analysisAI
CVE-2026-41190 is an authorization bypass vulnerability (CWE-863) in FreeScout, a free self-hosted help desk and shared mailbox application. The issue affects versions prior to 1.8.215, specifically when the `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` configuration is enabled. In this setup, the direct conversation view properly restricts access to users who are neither the assignee nor the creator of a conversation. However, the `save_draft` AJAX endpoint enforces weaker checks, allowing unauthorized users to create drafts within conversations that are otherwise hidden from them in the user interface. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high integrity impact with low confidentiality impact.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a direct POST request to the `save_draft` endpoint, the attacker can create drafts inside conversations they lack permission to view directly. This bypasses UI-level restrictions, potentially allowing unauthorized access to sensitive conversation content through the draft mechanism or enabling further abuse such as injecting misleading information.
Mitigation requires upgrading to FreeScout version 1.8.215 or later, which addresses the issue in the `save_draft` endpoint. Relevant advisories and patches are detailed in the GitHub security advisory (GHSA-vj2p-2789-3747), the release notes for version 1.8.215, and the fixing commit (414878eb79be7cb01a3ae124df6efcd23729275f).
Details
- CWE(s)