CVE-2026-39384 Overview
FreeScout, a free help desk and shared inbox built with PHP's Laravel framework, contains an authorization bypass vulnerability in versions prior to 1.8.212. The application fails to properly enforce the limit_user_customer_visibility parameter when merging customers, allowing authenticated users to bypass access controls and potentially access or modify customer data they should not have visibility into.
Critical Impact
Authenticated users can bypass customer visibility restrictions during customer merge operations, potentially exposing sensitive customer information and enabling unauthorized data modifications.
Affected Products
- FreeScout versions prior to 1.8.212
- FreeScout help desk installations with limit_user_customer_visibility enabled
- Self-hosted FreeScout deployments using customer segmentation features
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39384 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39384
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The core issue lies in the customer merge functionality within FreeScout's CustomersController.php. When a user initiates a customer merge operation, the application validates visibility permissions for the primary customer but fails to validate the same permissions for the secondary customer being merged.
The vulnerability allows an authenticated user with limited customer visibility to merge customers outside their authorized scope by manipulating the customer2_id parameter. This effectively bypasses the multi-tenant security controls that organizations rely on to segment customer data between different support agents or teams.
Root Cause
The root cause is improper authorization enforcement in the customer merge endpoint. The controller method retrieves the second customer record using Customer::find() without subsequently validating whether the current user has visibility permissions for that customer record. The checkLimitVisibility() method was only being called on the primary customer, leaving the secondary customer parameter unchecked.
Attack Vector
The attack is network-based and requires low-privileged authentication. An attacker with valid credentials to a FreeScout instance can exploit this vulnerability by sending a crafted merge request specifying a customer2_id that belongs to a customer outside their authorized visibility scope. Since the application uses find() instead of findOrFail() and lacks visibility checks, the merge operation proceeds without proper authorization validation.
The following patch addresses the vulnerability by adding visibility checks for both customers involved in a merge operation:
]);\n \n $customer = Customer::findOrFail($id);
- $customer2 = Customer::find($request->customer2_id);
+ $customer2 = Customer::findOrFail($request->customer2_id);
$this->checkLimitVisibility($customer);
$this->checkLimitVisibility($customer2);
Source: GitHub Commit Changes
Detection Methods for CVE-2026-39384
Indicators of Compromise
- Unusual customer merge activity in audit logs, particularly involving customers from different visibility segments
- Merge operations where the initiating user does not have visibility permissions to one or both customer records
- Elevated API requests to the customer merge endpoint from users with restricted visibility settings
- Unexplained consolidation of customer records across segmented data boundaries
Detection Strategies
- Monitor FreeScout application logs for customer merge operations and cross-reference with user visibility permissions
- Implement alerting for merge operations where customer2_id resolves to a customer outside the user's configured visibility scope
- Review web server access logs for POST requests to the customer merge controller endpoint
- Audit customer record modifications for unauthorized cross-segment data access patterns
Monitoring Recommendations
- Enable verbose application logging for all customer management operations in FreeScout
- Configure SIEM rules to detect anomalous customer merge patterns or high-frequency merge operations
- Implement database-level auditing on the customers table to track merge-related modifications
- Regularly review user activity reports focusing on customer record interactions
How to Mitigate CVE-2026-39384
Immediate Actions Required
- Upgrade FreeScout to version 1.8.212 or later immediately
- Review customer merge audit logs for any suspicious activity prior to patching
- Temporarily disable customer merge functionality if immediate patching is not possible
- Audit existing customer records for unauthorized merges that may have occurred
Patch Information
The vulnerability is fixed in FreeScout version 1.8.212. The patch adds the checkLimitVisibility() call for the second customer in merge operations and changes Customer::find() to Customer::findOrFail() to ensure proper error handling. Organizations should update their FreeScout installations through the standard update process. The fix can be reviewed in the GitHub Commit and additional details are available in the GitHub Security Advisory.
Workarounds
- Disable customer merge functionality at the application level until the patch can be applied
- Implement network-level access controls to restrict access to the customer merge endpoint
- Configure web application firewall rules to monitor and potentially block customer merge requests
- Enforce strict role-based access controls limiting which users can perform customer merge operations
# Verify FreeScout version after upgrade
cd /path/to/freescout
php artisan freescout:version
# Review recent customer merge activity in logs
grep -i "customer.*merge" storage/logs/laravel.log
# Check for unauthorized access patterns
tail -f storage/logs/laravel.log | grep -i "checkLimitVisibility"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
