Platform
nodejs
Component
freescout-help-desk
Fixed in
1.8.215
CVE-2026-40592 describes a vulnerability in FreeScout, a self-hosted help desk and shared mailbox application. This flaw allows one agent within a shared mailbox to recall another agent's recently sent reply, even if they didn't create it. The vulnerability affects versions 1.0.0 through 1.8.213, and a fix is available in version 1.8.214.
The primary impact of this vulnerability is the potential disruption of communication within a shared mailbox environment. An attacker, posing as a legitimate agent, could maliciously recall replies sent by other agents, potentially deleting important messages or creating confusion. This could lead to missed customer inquiries, delayed responses, and a negative impact on customer service. While the vulnerability window is limited to 15 seconds, the potential for disruption and misuse exists, particularly in environments with multiple agents accessing the same mailbox.
This vulnerability was publicly disclosed on 2026-04-21. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the limited window of opportunity (15 seconds) and the requirement for access to a shared mailbox, the probability of exploitation is considered low to medium.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-40592 is to immediately upgrade FreeScout to version 1.8.214 or later. If upgrading is not immediately feasible, consider implementing stricter access controls within the shared mailbox to limit the ability of agents to recall messages. While a direct workaround is not available, monitoring the 'undo-reply' endpoint for unusual activity could provide early detection. After upgrading, confirm the fix by attempting to recall a reply sent by another user; the action should be denied.
Update FreeScout to version 1.8.214 or later to mitigate the vulnerability. This update verifies that the current user is the creator of the message before allowing revocation, preventing unauthorized access to other agents' replies in shared mailbox environments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40592 is a medium severity vulnerability in FreeScout versions 1.0.0 through 1.8.213 that allows one agent to recall another agent's sent reply in a shared mailbox.
You are affected if you are using FreeScout version 1.0.0 through 1.8.213 and have a shared mailbox configuration with multiple agents.
Upgrade FreeScout to version 1.8.214 or later to remediate the vulnerability. If immediate upgrade is not possible, implement stricter access controls.
There are currently no known active exploits or campaigns targeting CVE-2026-40592.
Refer to the FreeScout security advisory for details: [https://freescout.com/security/](https://freescout.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.