Plateforme
php
Composant
freescout-help-desk
Corrigé dans
1.8.215
CVE-2026-40590 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in FreeScout, a self-hosted help desk and shared mailbox application. This flaw allows attackers to potentially manipulate customer data by exploiting a lack of email validation during customer creation. The vulnerability impacts versions 1.0.0 through 1.8.213 and has been resolved in version 1.8.214.
The SSRF vulnerability in FreeScout arises from insufficient validation within the /customers/ajax endpoint when creating new customers. Specifically, the endpoint lacks robust checks to ensure the provided email address is unique. An attacker can exploit this by supplying an email address already associated with a hidden (inactive or otherwise inaccessible) customer. This allows the attacker to reuse the existing customer object, effectively filling profile fields with attacker-controlled data. While the immediate impact might seem limited, this could lead to unauthorized access to sensitive customer information or manipulation of help desk workflows. The potential for data exfiltration or account takeover depends on the specific data stored within the customer profiles and the permissions associated with the reused account.
CVE-2026-40590 was publicly disclosed on 2026-04-21. As of this writing, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the potential impact and ease of exploitation, given the lack of authentication requirements for the vulnerable endpoint.
Organizations utilizing FreeScout for help desk and shared mailbox management are at risk, particularly those running versions 1.0.0 through 1.8.213. Shared hosting environments where multiple FreeScout instances reside on the same server are also at increased risk, as a compromise of one instance could potentially impact others. Any deployment relying on the default configuration without additional security hardening measures is potentially vulnerable.
• php: Examine FreeScout application logs for POST requests to /customers/ajax with action=create and unusual or unexpected data in the request body.
grep 'POST /customers/ajax action=create' /var/log/apache2/access.log• generic web: Use curl to test the /customers/ajax endpoint with a known existing email address to see if a hidden customer object is reused.
curl -X POST -d 'name=Test&[email protected]&action=create' http://your-freescout-instance/customers/ajax• generic web: Check FreeScout configuration files for any unusual or unexpected settings related to customer creation or email validation.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-40590 is to immediately upgrade FreeScout to version 1.8.214 or later, which includes the necessary validation fixes. If upgrading is not immediately feasible due to compatibility concerns or downtime requirements, consider implementing a temporary workaround by restricting access to the /customers/ajax endpoint to trusted users only. Additionally, carefully review existing customer data for any suspicious or unexpected entries that might indicate prior exploitation. Monitor FreeScout logs for unusual activity related to customer creation or modification, paying close attention to requests originating from untrusted sources. There are no specific WAF rules or Sigma/YARA patterns readily available for this vulnerability, making proactive monitoring and prompt patching crucial.
Actualice FreeScout a la versión 1.8.214 o superior para mitigar la vulnerabilidad. Esta actualización corrige la validación de correo electrónico en el flujo de creación de clientes, evitando que los atacantes reutilicen objetos de clientes ocultos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-40590 is a Server-Side Request Forgery vulnerability affecting FreeScout help desk software versions 1.0.0 through 1.8.213, allowing attackers to potentially manipulate customer data.
If you are running FreeScout version 1.0.0 through 1.8.213, you are potentially affected by this vulnerability. Upgrade to version 1.8.214 or later to mitigate the risk.
The recommended fix is to upgrade FreeScout to version 1.8.214 or later. If immediate upgrade is not possible, restrict access to the /customers/ajax endpoint.
As of now, there is no evidence of active exploitation campaigns targeting CVE-2026-40590, but proactive patching is still recommended.
Refer to the FreeScout security advisory for detailed information and updates: [https://freescout.com/security/](https://freescout.com/security/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.