Cyber Resilience

CVE-2026-41192

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0004 13.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41192 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41192 is a vulnerability in FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Specifically, any IDs present in the `attachments_all[]` parameter but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. This flaw stems from `load_attachments` returning encrypted IDs for attachments on a visible conversation, enabling unauthorized deletion. The vulnerability is rated 7.1 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) and is associated with CWE-862 (Missing Authorization).

A mailbox peer with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction. By replaying encrypted attachment IDs obtained from a visible conversation through the `save_draft` endpoint, the attacker can trigger deletion of the original attachment row and associated file via `Attachment::deleteByIds()`. This results in high integrity impact (I:H) by allowing unauthorized removal of attachments and low availability impact (A:L) from the file deletion, without affecting confidentiality.

The FreeScout security advisory (GHSA-cv36-2j23-x6g3) and release notes for version 1.8.215 detail the fix, implemented in commit 5f182818e2391f8e711fec6ae6648ac0b367bef5. Security practitioners should upgrade to FreeScout 1.8.215 or later to mitigate the issue, as it addresses the trust in client-supplied IDs during draft and reply operations.

EU & UK References

Vulnerability details

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to…

more

`Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability enables unauthorized deletion of stored attachments/files via trusted client-supplied IDs and missing authorization, directly facilitating stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34256Shared CWE-862
CVE-2025-0952Shared CWE-862
CVE-2025-24591Shared CWE-862
CVE-2026-27386Shared CWE-862
CVE-2025-11791Shared CWE-862
CVE-2026-34053Shared CWE-862
CVE-2025-59022Shared CWE-862
CVE-2024-11848Shared CWE-862
CVE-2026-3360Shared CWE-862
CVE-2026-4277Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations before logical access operations like Attachment::deleteByIds(), directly preventing unauthorized deletion of attachments by mailbox peers.

prevent

SI-10 requires validation of client-supplied inputs such as attachments_all[] encrypted IDs to ensure they are legitimate and authorized, blocking replay-based deletion exploits.

prevent

AC-6 limits privileges to the minimum necessary, restricting low-privileged mailbox peers from performing cross-attachment deletions even if authorization checks are bypassed.

References