平台
nodejs
组件
freescout-help-desk
修复版本
1.8.215
CVE-2026-40592 describes a vulnerability in FreeScout, a self-hosted help desk and shared mailbox application. This flaw allows one agent within a shared mailbox to recall another agent's recently sent reply, even if they didn't create it. The vulnerability affects versions 1.0.0 through 1.8.213, and a fix is available in version 1.8.214.
The primary impact of this vulnerability is the potential disruption of communication within a shared mailbox environment. An attacker, posing as a legitimate agent, could maliciously recall replies sent by other agents, potentially deleting important messages or creating confusion. This could lead to missed customer inquiries, delayed responses, and a negative impact on customer service. While the vulnerability window is limited to 15 seconds, the potential for disruption and misuse exists, particularly in environments with multiple agents accessing the same mailbox.
This vulnerability was publicly disclosed on 2026-04-21. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the limited window of opportunity (15 seconds) and the requirement for access to a shared mailbox, the probability of exploitation is considered low to medium.
Organizations utilizing FreeScout with shared mailbox configurations are at risk. This includes businesses relying on shared inboxes for customer support, sales, or other collaborative communication purposes. The vulnerability is particularly relevant to deployments with multiple agents accessing the same mailbox, as it enables one agent to impact the work of others.
• nodejs / server:
grep -r 'conversation/undo-reply/{thread_id}' /opt/freescout/app/routes/• generic web:
curl -I 'http://your-freescout-instance/conversation/undo-reply/123' # Check for 200 OK response without authenticationdisclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2026-40592 is to immediately upgrade FreeScout to version 1.8.214 or later. If upgrading is not immediately feasible, consider implementing stricter access controls within the shared mailbox to limit the ability of agents to recall messages. While a direct workaround is not available, monitoring the 'undo-reply' endpoint for unusual activity could provide early detection. After upgrading, confirm the fix by attempting to recall a reply sent by another user; the action should be denied.
Actualice FreeScout a la versión 1.8.214 o posterior para mitigar la vulnerabilidad. Esta actualización verifica que el usuario actual sea el creador del mensaje antes de permitir la revocación, previniendo el acceso no autorizado a las respuestas de otros agentes en entornos de buzón compartido.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40592 is a medium severity vulnerability in FreeScout versions 1.0.0 through 1.8.213 that allows one agent to recall another agent's sent reply in a shared mailbox.
You are affected if you are using FreeScout version 1.0.0 through 1.8.213 and have a shared mailbox configuration with multiple agents.
Upgrade FreeScout to version 1.8.214 or later to remediate the vulnerability. If immediate upgrade is not possible, implement stricter access controls.
There are currently no known active exploits or campaigns targeting CVE-2026-40592.
Refer to the FreeScout security advisory for details: [https://freescout.com/security/](https://freescout.com/security/)