CVE-2026-40592 Overview
FreeScout is a free self-hosted help desk and shared mailbox application. A Missing Authorization vulnerability (CWE-862) was identified in versions prior to 1.8.214 that affects the undo-send functionality. The vulnerable route GET /conversation/undo-reply/{thread_id} only verifies whether the current user can view the parent conversation but fails to validate that the current user is the author of the reply being undone. This authorization bypass allows any agent with conversation view permissions to recall another agent's just-sent reply during the 15-second undo window in shared mailbox environments.
Critical Impact
Agents in a shared mailbox can delete or recall replies sent by other agents, potentially disrupting customer communications, hiding evidence of sent messages, or interfering with legitimate support workflows.
Affected Products
- FreeScout versions prior to 1.8.214
- Self-hosted FreeScout help desk installations with shared mailbox functionality
- Environments with multiple agents accessing the same conversation threads
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40592 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40592
Vulnerability Analysis
This vulnerability represents a classic Broken Access Control flaw categorized under CWE-862 (Missing Authorization). The core issue lies in incomplete authorization checks within the undo-reply endpoint. While the application correctly validates that the requesting user has permission to view the conversation, it neglects to verify ownership of the specific reply being recalled.
In shared mailbox scenarios, multiple support agents have access to the same conversations. The 15-second undo window, designed as a user convenience feature to correct mistakes, becomes a security liability when any agent with view access can abuse it to recall replies they did not author.
The vulnerability requires network access and valid authentication as an agent with conversation view permissions. While exploitation requires specific timing (within the 15-second window), the impact on integrity is significant as it allows unauthorized modification of conversation history.
Root Cause
The root cause is missing ownership validation in the undo-reply route handler. The authorization logic only performs a conversation-level access check rather than a reply-level ownership check. The endpoint accepts a thread_id parameter and validates the user can view the parent conversation, but the code path does not compare the user_id of the reply author against the authenticated user making the undo request.
Attack Vector
The attack exploits the network-accessible undo-reply endpoint that accepts a thread_id parameter. An authenticated agent monitors or accesses a shared conversation where another agent has just sent a reply. Within the 15-second undo window, the attacker crafts a GET request to /conversation/undo-reply/{thread_id} using the target reply's thread ID. Since the endpoint only validates conversation view permissions, the request succeeds, recalling the victim agent's reply without their knowledge or consent.
The vulnerability mechanism involves insufficient authorization checks on the undo-reply route. When a request is made to /conversation/undo-reply/{thread_id}, the application retrieves the thread and its parent conversation, then checks if the requesting user has view permissions on the conversation. However, no verification is performed to ensure the requesting user is the author of the reply being undone. This allows any agent with conversation access to recall any other agent's recent replies. For technical implementation details, see the GitHub Commit Details.
Detection Methods for CVE-2026-40592
Indicators of Compromise
- Undo-reply requests where the requesting user ID differs from the original reply author ID in application logs
- Unusual patterns of reply deletions or recalls in shared mailbox conversations
- Agent complaints about missing replies they sent but did not recall
- Audit log entries showing undo operations performed by users other than the reply creator
Detection Strategies
- Implement application-level logging that captures both the requesting user and the reply author for undo operations
- Monitor for anomalous undo-reply activity patterns, particularly high-frequency recalls or recalls across different user sessions
- Review web server access logs for GET requests to /conversation/undo-reply/ endpoints with correlation to user sessions
- Deploy web application firewall rules to detect and alert on suspicious undo-reply request patterns
Monitoring Recommendations
- Enable detailed request logging for the /conversation/undo-reply/ endpoint including authenticated user context
- Set up alerts for undo operations where the requester differs from the original message author
- Implement audit trails that cannot be modified to track all conversation modifications
- Periodically review user activity reports for unusual recall patterns in shared mailbox environments
How to Mitigate CVE-2026-40592
Immediate Actions Required
- Upgrade FreeScout to version 1.8.214 or later immediately
- Review recent undo-reply activity logs to identify potential exploitation
- Notify affected agents if evidence of unauthorized recall activity is discovered
- Consider temporarily disabling the undo-reply feature if immediate patching is not possible
Patch Information
FreeScout version 1.8.214 addresses this vulnerability by implementing proper ownership validation in the undo-reply handler. The fix ensures that only the agent who originally sent the reply can recall it during the undo window. The security patch is available through the GitHub Release 1.8.214. Additional details about the vulnerability and fix can be found in the GitHub Security Advisory GHSA-674v-r6xp-mvp6.
Workarounds
- Restrict shared mailbox access to trusted personnel only until patching is complete
- Implement network-level access controls to limit who can reach the FreeScout application
- Consider disabling the undo-reply feature at the application configuration level if supported
- Monitor all undo-reply activity and investigate any operations where the requester differs from the reply author
# Upgrade FreeScout to patched version
cd /path/to/freescout
git fetch --tags
git checkout 1.8.214
php artisan freescout:after-app-update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
