CVE-2026-40590 Overview
FreeScout is a free self-hosted help desk and shared mailbox solution. A vulnerability exists in versions prior to 1.8.214 where the Change Customer modal exposes a "Create a new customer" flow via POST /customers/ajax with action=create. When operating under limited visibility conditions, the endpoint fails to properly enforce unique-email validation. If the supplied email already belongs to a hidden customer, the Customer::create() function reuses that hidden customer object and populates empty profile fields from attacker-controlled input, enabling unauthorized modification of customer records.
Critical Impact
Authenticated attackers with low privileges can manipulate hidden customer profile data through an authorization bypass, potentially compromising customer data integrity within the help desk system.
Affected Products
- FreeScout versions prior to 1.8.214
- FreeScout self-hosted help desk installations with customer visibility restrictions enabled
- Environments utilizing the Change Customer modal functionality
Discovery Timeline
- 2026-04-21 - CVE-2026-40590 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40590
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, a type of Insecure Direct Object Reference (IDOR) flaw. The core issue stems from insufficient validation in the customer creation workflow when visibility restrictions are in place.
The vulnerable endpoint /customers/ajax with the action=create parameter is designed to allow authenticated users to create new customer entries. However, when the application operates under limited visibility mode, a logic flaw causes the unique email validation to be bypassed. This creates a condition where an attacker can submit a request with an email address belonging to an existing hidden customer.
When this occurs, rather than rejecting the duplicate email or creating a new customer record, the Customer::create() function retrieves the existing hidden customer object and proceeds to populate any empty profile fields with the attacker-supplied values. This allows an authenticated user with minimal privileges to modify profile data for customers they should not have access to view or edit.
Root Cause
The root cause is improper authorization enforcement in the customer creation endpoint when limited visibility is enabled. The application fails to maintain consistent unique-email validation across different visibility contexts, and the Customer::create() method inappropriately reuses existing hidden customer objects instead of treating them as separate, inaccessible entities. This violates the principle of least privilege by allowing users to indirectly access and modify records that should be hidden from them.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the FreeScout application. An attacker must:
- Obtain valid authentication credentials for the FreeScout instance
- Identify or guess email addresses of hidden customers
- Submit a crafted POST request to /customers/ajax with action=create and the target email
- Include malicious values for profile fields they wish to populate on the hidden customer record
The vulnerability exploits the race condition between visibility checks and email uniqueness validation, allowing the attacker to "hijack" empty fields on hidden customer profiles. No user interaction is required beyond the attacker's own authenticated session.
The attack flow involves sending a malicious POST request to the /customers/ajax endpoint with the action=create parameter. When the supplied email matches a hidden customer, the system reuses that customer object and updates empty profile fields with attacker-controlled data. For complete technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-40590
Indicators of Compromise
- Unusual POST requests to /customers/ajax endpoint with action=create parameter from users who typically don't create customers
- Customer profile modifications without corresponding audit trail entries for legitimate user actions
- Multiple customer creation attempts using the same email address within short timeframes
- Evidence of profile field changes on hidden customer records
Detection Strategies
- Monitor application logs for repeated POST /customers/ajax requests with action=create from the same session
- Implement alerting for customer record modifications that bypass standard edit workflows
- Review web server access logs for patterns indicating enumeration of customer email addresses
- Configure SIEM rules to correlate customer creation events with visibility-restricted accounts
Monitoring Recommendations
- Enable detailed audit logging for all customer creation and modification operations
- Implement rate limiting on the /customers/ajax endpoint to prevent enumeration attacks
- Configure alerts for any modifications to hidden customer records
- Regularly review customer profile change history for anomalous updates
How to Mitigate CVE-2026-40590
Immediate Actions Required
- Upgrade FreeScout to version 1.8.214 or later immediately
- Review customer records for unauthorized modifications, particularly hidden customer profiles
- Audit user access logs for suspicious activity targeting the /customers/ajax endpoint
- Consider temporarily disabling the "Create a new customer" functionality in the Change Customer modal until patched
Patch Information
The vulnerability has been addressed in FreeScout version 1.8.214. The fix ensures proper unique-email validation is enforced regardless of visibility settings and prevents the Customer::create() function from reusing hidden customer objects.
Patch resources:
Workarounds
- Restrict access to customer creation functionality to trusted administrator accounts only
- Implement additional authentication requirements for the /customers/ajax endpoint
- Use web application firewall (WAF) rules to monitor and potentially block suspicious requests to the vulnerable endpoint
- Temporarily disable limited visibility features until the patch can be applied
# Configuration example
# Upgrade FreeScout to patched version
cd /path/to/freescout
git fetch --tags
git checkout 1.8.214
php artisan freescout:after-app-update
# Verify installation version
php artisan freescout:version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
