CVE-2026-39384: Customer Visibility Bypass in FreeScout
Plataforma
laravel
Componente
freescout-help-desk/freescout
Corregido en
1.8.212
CVE-2026-39384 describes a customer visibility bypass vulnerability in FreeScout, a free help desk and shared inbox application built on Laravel. This flaw allows unauthorized users to potentially access customer data beyond their intended scope. The vulnerability impacts versions 1.8.0 through 1.8.211 and has been resolved in version 1.8.212.
Detecta esta CVE en tu proyecto
Sube tu archivo composer.lock y te decimos al instante si estás afectado.
Impacto y Escenarios de Ataquetraduciendo…
The core of this vulnerability lies in FreeScout's customer merging functionality. Prior to version 1.8.212, the application fails to properly enforce the limitusercustomer_visibility parameter during customer merging. This means an attacker, potentially with limited user privileges, could merge customers in a way that grants them access to data belonging to customers they shouldn't be able to see. The potential impact includes unauthorized access to sensitive customer information such as contact details, support tickets, and potentially other personally identifiable information (PII) stored within the FreeScout system. While direct remote code execution is not possible, the data exposure represents a significant risk, particularly for organizations handling sensitive customer data.
Contexto de Explotacióntraduciendo…
CVE-2026-39384 was published on April 7, 2026. Its severity is rated as HIGH (CVSS 7.6). There is currently no indication that this vulnerability is being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, but the vulnerability’s nature suggests it could be relatively easy to exploit once a POC is developed.
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.04% (11% percentil)
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Bajo — cualquier cuenta de usuario válida es suficiente.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Sin cambio — el impacto se limita al componente vulnerable.
- Confidentiality
- Bajo — acceso parcial o indirecto a algunos datos.
- Integrity
- Alto — el atacante puede escribir, modificar o eliminar cualquier dato.
- Availability
- Bajo — denegación de servicio parcial o intermitente.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2026-39384 is to immediately upgrade FreeScout to version 1.8.212 or later. If upgrading is not immediately feasible due to compatibility concerns or downtime constraints, consider implementing a temporary workaround by carefully reviewing and restricting user permissions within FreeScout. Ensure that users only have access to the customers they absolutely need to support. While not a complete fix, this can limit the potential blast radius of the vulnerability. There are no specific WAF rules or detection signatures readily available for this vulnerability, making timely patching the most critical step. After upgrading, confirm the fix by attempting to merge customers with different visibility levels and verifying that access restrictions are properly enforced.
Cómo corregirlotraduciendo…
Actualice FreeScout a la versión 1.8.212 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema al considerar correctamente el parámetro `limit_user_customer_visibility` durante la fusión de clientes, evitando el bypass de autorización.
Preguntas frecuentestraduciendo…
What is CVE-2026-39384 — Customer Visibility Bypass in FreeScout?
CVE-2026-39384 is a HIGH severity vulnerability in FreeScout versions 1.8.0 to 1.8.211. It allows attackers to bypass customer visibility restrictions, potentially accessing sensitive customer data. The vulnerability stems from improper handling of customer merging.
Am I affected by CVE-2026-39384 in FreeScout?
You are affected if you are running FreeScout version 1.8.0 through 1.8.211. If you are using a later version (1.8.212 or higher), you are not vulnerable to this specific issue.
How do I fix CVE-2026-39384 in FreeScout?
The recommended fix is to immediately upgrade FreeScout to version 1.8.212 or later. If upgrading is not possible, temporarily restrict user permissions to limit potential data exposure.
Is CVE-2026-39384 being actively exploited?
There is currently no public information indicating that CVE-2026-39384 is being actively exploited in the wild.
Where can I find the official FreeScout advisory for CVE-2026-39384?
Refer to the official FreeScout security advisory for CVE-2026-39384, which can be found on the FreeScout website or GitHub repository (check for updates).
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Detecta esta CVE en tu proyecto
Sube tu archivo composer.lock y te decimos al instante si estás afectado.
Escanea tu proyecto PHP / Composer ahora — sin cuenta
Sube tu composer.lock y recibís el reporte de vulnerabilidades al instante. Sin cuenta. Subir el archivo es solo el inicio: con una cuenta tenés monitoreo continuo, alertas en Slack/email, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...