CVE-2026-41191
Published: 21 April 2026
Summary
CVE-2026-41191 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access in application controllers, preventing low-privileged users from persisting unauthorized parameters like 'chat_start_new' outside allowed-field filters.
Employs least privilege to restrict users with only 'sig' permission from modifying hidden mailbox-wide settings via direct POST requests.
Validates information inputs to ensure only permitted fields are processed and persisted based on user permissions, mitigating bypass of allowed-field filters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The incorrect authorization vulnerability allows a low-privileged authenticated user to bypass field filters and modify hidden mailbox settings via direct network POST requests, directly enabling T1068 (Exploitation for Privilege Escalation) through unauthorized config changes and T1190 (Exploit Public-Facing Application) as the attack targets a web-based help desk app over the network.
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only the signature field in the UI, but can still…
more
change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability.
Deeper analysisAI
CVE-2026-41191 is an incorrect authorization vulnerability (CWE-863) affecting FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.215, the `MailboxesController::updateSave()` function persists the `chat_start_new` parameter outside the allowed-field filter, enabling unauthorized modification of mailbox settings. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
A low-privileged authenticated user with only the mailbox `sig` permission—who sees only the signature field in the UI—can exploit this by sending a direct POST request to alter the hidden mailbox-wide chat setting. This network-accessible attack requires low complexity and no user interaction, resulting in low confidentiality impact but high integrity impact with no availability disruption.
FreeScout version 1.8.215 addresses the vulnerability by enforcing the allowed-field filter properly. Security practitioners should upgrade to this version or later. Key resources include the fixing commit at https://github.com/freescout-help-desk/freescout/commit/fb130de64e1c830d85dd6988eaa08d725a7be954, the release notes at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215, and the GitHub security advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wpv9-c2gv-2j82.
Details
- CWE(s)