Platform
php
Component
freescout-help-desk
Fixed in
1.8.216
CVE-2026-41191 affects FreeScout help desk software versions 1.0.0 through 1.8.214. This vulnerability allows users with limited mailbox permissions ('sig') to manipulate hidden settings related to chat functionality through direct POST requests, bypassing intended access controls. The vulnerability has been resolved in version 1.8.215, and users are strongly advised to upgrade.
The core impact of CVE-2026-41191 lies in the ability for a user with restricted permissions to alter critical mailbox settings. While the user interface only displays the signature field, a malicious actor can directly modify the chatstartnew setting via a POST request. This could lead to unintended chat behavior, potentially disrupting support workflows or enabling unauthorized communication channels. The blast radius is limited to the affected mailbox and its associated users, but the impact on support operations could be significant. This vulnerability highlights the importance of proper input validation and access control enforcement, even for seemingly innocuous settings.
CVE-2026-41191 was publicly disclosed on 2026-04-21. There are currently no known public proof-of-concept exploits available. The vulnerability's EPSS score is likely low to medium, given the requirement for specific mailbox permissions and the lack of widespread exploitation. It has not been added to the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-41191 is to upgrade FreeScout to version 1.8.215 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary restrictions on direct POST requests to the MailboxesController::updateSave() endpoint. While not a complete solution, this can reduce the attack surface. Review FreeScout's access control configuration to ensure users only have the necessary permissions. After upgrading, verify the chatstartnew setting for all mailboxes to ensure it has not been maliciously altered.
Update FreeScout to version 1.8.215 or later to mitigate the vulnerability. This update corrects the issue by properly filtering allowed fields when updating mailbox settings, preventing users with limited permissions from modifying mailbox-wide chat settings.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41191 is a HIGH severity vulnerability in FreeScout versions 1.0.0 through 1.8.214 that allows users with limited permissions to modify hidden chat settings via direct POST requests.
You are affected if you are running FreeScout versions 1.0.0 through 1.8.214. Upgrade to version 1.8.215 or later to mitigate the risk.
Upgrade FreeScout to version 1.8.215 or later. As a temporary workaround, restrict direct POST requests to the vulnerable endpoint.
There are currently no known reports of active exploitation of CVE-2026-41191, but it is crucial to apply the patch promptly.
Refer to the FreeScout security advisory for detailed information and updates: [https://freescout.com/security/](https://freescout.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.