Scan free
MEDIUMCVE-2026-40592CVSS 5.9

CVE-2026-40592: Reply Recall Vulnerability in FreeScout

Platform

nodejs

Component

freescout-help-desk

Fixed in

1.8.215

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-40592 describes a vulnerability in FreeScout, a self-hosted help desk and shared mailbox application. This flaw allows one agent within a shared mailbox to recall another agent's recently sent reply, even if they didn't create it. The vulnerability affects versions 1.0.0 through 1.8.213, and a fix is available in version 1.8.214.

Impact and Attack Scenarios

The primary impact of this vulnerability is the potential disruption of communication within a shared mailbox environment. An attacker, posing as a legitimate agent, could maliciously recall replies sent by other agents, potentially deleting important messages or creating confusion. This could lead to missed customer inquiries, delayed responses, and a negative impact on customer service. While the vulnerability window is limited to 15 seconds, the potential for disruption and misuse exists, particularly in environments with multiple agents accessing the same mailbox.

Exploitation Context

This vulnerability was publicly disclosed on 2026-04-21. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the limited window of opportunity (15 seconds) and the requirement for access to a shared mailbox, the probability of exploitation is considered low to medium.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L5.9MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentfreescout-help-desk
Vendorfreescout-help-desk
Affected rangeFixed in
< 1.8.214 – < 1.8.2141.8.215

Weakness Classification (CWE)

CWE-862

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The recommended mitigation for CVE-2026-40592 is to immediately upgrade FreeScout to version 1.8.214 or later. If upgrading is not immediately feasible, consider implementing stricter access controls within the shared mailbox to limit the ability of agents to recall messages. While a direct workaround is not available, monitoring the 'undo-reply' endpoint for unusual activity could provide early detection. After upgrading, confirm the fix by attempting to recall a reply sent by another user; the action should be denied.

How to fix

Update FreeScout to version 1.8.214 or later to mitigate the vulnerability. This update verifies that the current user is the creator of the message before allowing revocation, preventing unauthorized access to other agents' replies in shared mailbox environments.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-40592 — Reply Recall Vulnerability in FreeScout?

CVE-2026-40592 is a medium severity vulnerability in FreeScout versions 1.0.0 through 1.8.213 that allows one agent to recall another agent's sent reply in a shared mailbox.

Am I affected by CVE-2026-40592 in FreeScout?

You are affected if you are using FreeScout version 1.0.0 through 1.8.213 and have a shared mailbox configuration with multiple agents.

How do I fix CVE-2026-40592 in FreeScout?

Upgrade FreeScout to version 1.8.214 or later to remediate the vulnerability. If immediate upgrade is not possible, implement stricter access controls.

Is CVE-2026-40592 being actively exploited?

There are currently no known active exploits or campaigns targeting CVE-2026-40592.

Where can I find the official FreeScout advisory for CVE-2026-40592?

Refer to the FreeScout security advisory for details: [https://freescout.com/security/](https://freescout.com/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs