無料スキャン
MEDIUMCVE-2026-40592CVSS 5.9

FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply

翻訳中…

プラットフォーム

nodejs

コンポーネント

freescout-help-desk

修正版

1.8.215

AI Confidence: highNVDEPSS 0.0%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-40592 describes a vulnerability in FreeScout, a self-hosted help desk and shared mailbox application. This flaw allows one agent within a shared mailbox to recall another agent's recently sent reply, even if they didn't create it. The vulnerability affects versions 1.0.0 through 1.8.213, and a fix is available in version 1.8.214.

影響と攻撃シナリオ翻訳中…

The primary impact of this vulnerability is the potential disruption of communication within a shared mailbox environment. An attacker, posing as a legitimate agent, could maliciously recall replies sent by other agents, potentially deleting important messages or creating confusion. This could lead to missed customer inquiries, delayed responses, and a negative impact on customer service. While the vulnerability window is limited to 15 seconds, the potential for disruption and misuse exists, particularly in environments with multiple agents accessing the same mailbox.

悪用の状況翻訳中…

This vulnerability was publicly disclosed on 2026-04-21. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the limited window of opportunity (15 seconds) and the requirement for access to a shared mailbox, the probability of exploitation is considered low to medium.

リスク対象者翻訳中…

Organizations utilizing FreeScout with shared mailbox configurations are at risk. This includes businesses relying on shared inboxes for customer support, sales, or other collaborative communication purposes. The vulnerability is particularly relevant to deployments with multiple agents accessing the same mailbox, as it enables one agent to impact the work of others.

検出手順翻訳中…

• nodejs / server:

  grep -r 'conversation/undo-reply/{thread_id}' /opt/freescout/app/routes/

• generic web:

  curl -I 'http://your-freescout-instance/conversation/undo-reply/123' # Check for 200 OK response without authentication

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.04% (11% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能no
技術的影響partial

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L5.9MEDIUMAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityHigh悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityNone機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityLowサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
高 — 競合条件、非標準設定、または特定の状況が必要。悪用が難しい。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
なし — 機密性への影響なし。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントfreescout-help-desk
ベンダーfreescout-help-desk
影響範囲修正版
< 1.8.214 – < 1.8.2141.8.215

弱点分類 (CWE)

CWE-862

タイムライン

  1. 予約済み
  2. 公開日
  3. EPSS 更新日

緩和策と回避策翻訳中…

The recommended mitigation for CVE-2026-40592 is to immediately upgrade FreeScout to version 1.8.214 or later. If upgrading is not immediately feasible, consider implementing stricter access controls within the shared mailbox to limit the ability of agents to recall messages. While a direct workaround is not available, monitoring the 'undo-reply' endpoint for unusual activity could provide early detection. After upgrading, confirm the fix by attempting to recall a reply sent by another user; the action should be denied.

修正方法翻訳中…

Actualice FreeScout a la versión 1.8.214 o posterior para mitigar la vulnerabilidad. Esta actualización verifica que el usuario actual sea el creador del mensaje antes de permitir la revocación, previniendo el acceso no autorizado a las respuestas de otros agentes en entornos de buzón compartido.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2026-40592 — Reply Recall Vulnerability in FreeScout?

CVE-2026-40592 is a medium severity vulnerability in FreeScout versions 1.0.0 through 1.8.213 that allows one agent to recall another agent's sent reply in a shared mailbox.

Am I affected by CVE-2026-40592 in FreeScout?

You are affected if you are using FreeScout version 1.0.0 through 1.8.213 and have a shared mailbox configuration with multiple agents.

How do I fix CVE-2026-40592 in FreeScout?

Upgrade FreeScout to version 1.8.214 or later to remediate the vulnerability. If immediate upgrade is not possible, implement stricter access controls.

Is CVE-2026-40592 being actively exploited?

There are currently no known active exploits or campaigns targeting CVE-2026-40592.

Where can I find the official FreeScout advisory for CVE-2026-40592?

Refer to the FreeScout security advisory for details: [https://freescout.com/security/](https://freescout.com/security/)

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索