Platform
php
Component
freescout
Fixed in
1.8.216
CVE-2026-41189 is an authorization bypass vulnerability affecting FreeScout help desk software versions 1.0.0 through 1.8.215. This flaw allows users without proper permissions to edit customer-authored threads within conversations, potentially leading to data manipulation and compromised support workflows. The vulnerability has been resolved in version 1.8.215, and users are strongly advised to upgrade immediately.
The impact of this vulnerability is significant, as it allows an attacker to directly modify customer interactions within the FreeScout help desk. An attacker could alter support tickets, change customer information, or inject malicious content into conversations. This could lead to reputational damage, legal liabilities, and potentially compromise sensitive customer data. The ability to edit customer-authored threads circumvents the intended access controls, enabling unauthorized modifications to the support process. While the vulnerability doesn't grant full system access, the impact on customer support operations and data integrity is considerable.
CVE-2026-41189 was publicly disclosed on 2026-04-21. There is currently no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released. The vulnerability's relatively low complexity and potential impact suggest it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-41189 is to upgrade FreeScout to version 1.8.215 or later. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. While no direct WAF rules can prevent this, restricting access to the thread editing endpoints based on user roles and permissions can provide a limited layer of defense. Regularly review user access logs for suspicious activity, particularly edits made by users who should not have access to specific conversations. After upgrading, confirm the fix by attempting to edit a conversation thread with a user account that should not have editing privileges; the attempt should be denied.
Update FreeScout to version 1.8.215 or higher to correct the vulnerability. This update fixes a security flaw that allows users without permissions to edit hidden customer threads.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41189 is a HIGH severity authorization bypass vulnerability in FreeScout versions 1.0.0 through 1.8.215, allowing unauthorized thread editing.
If you are running FreeScout version 1.0.0 through 1.8.215, you are potentially affected by this vulnerability. Upgrade to 1.8.215 or later.
The recommended fix is to upgrade FreeScout to version 1.8.215 or a later version. If immediate upgrade is not possible, review user permissions and access logs.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants immediate attention and remediation.
Refer to the FreeScout security advisory for detailed information and updates: [https://freescout.com/security/](https://freescout.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.