CVE-2026-41192
Published: 21 April 2026
Summary
CVE-2026-41192 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations before logical access operations like Attachment::deleteByIds(), directly preventing unauthorized deletion of attachments by mailbox peers.
SI-10 requires validation of client-supplied inputs such as attachments_all[] encrypted IDs to ensure they are legitimate and authorized, blocking replay-based deletion exploits.
AC-6 limits privileges to the minimum necessary, restricting low-privileged mailbox peers from performing cross-attachment deletions even if authorization checks are bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized deletion of stored attachments/files via trusted client-supplied IDs and missing authorization, directly facilitating stored data manipulation.
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to…
more
`Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.
Deeper analysisAI
CVE-2026-41192 is a vulnerability in FreeScout, a free self-hosted help desk and shared mailbox application. In versions prior to 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Specifically, any IDs present in the `attachments_all[]` parameter but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. This flaw stems from `load_attachments` returning encrypted IDs for attachments on a visible conversation, enabling unauthorized deletion. The vulnerability is rated 7.1 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) and is associated with CWE-862 (Missing Authorization).
A mailbox peer with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction. By replaying encrypted attachment IDs obtained from a visible conversation through the `save_draft` endpoint, the attacker can trigger deletion of the original attachment row and associated file via `Attachment::deleteByIds()`. This results in high integrity impact (I:H) by allowing unauthorized removal of attachments and low availability impact (A:L) from the file deletion, without affecting confidentiality.
The FreeScout security advisory (GHSA-cv36-2j23-x6g3) and release notes for version 1.8.215 detail the fix, implemented in commit 5f182818e2391f8e711fec6ae6648ac0b367bef5. Security practitioners should upgrade to FreeScout 1.8.215 or later to mitigate the issue, as it addresses the trust in client-supplied IDs during draft and reply operations.
Details
- CWE(s)