CVE-2026-41190 Overview
CVE-2026-41190 is an authorization bypass vulnerability in FreeScout, a free self-hosted help desk and shared mailbox application. The vulnerability exists in the save_draft AJAX endpoint, which fails to properly enforce access controls when the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS configuration setting is enabled. While the direct conversation view correctly blocks unauthorized users who are neither the assignee nor the creator of a conversation, the save_draft endpoint implements weaker authorization checks, allowing authenticated attackers to create drafts inside conversations they should not have access to.
Critical Impact
Authenticated users can bypass conversation access restrictions and inject draft content into conversations they are not assigned to, potentially leading to unauthorized information disclosure or manipulation of customer communications.
Affected Products
- FreeScout versions prior to 1.8.215
- Self-hosted FreeScout installations with APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS enabled
- FreeScout deployments using conversation assignment restrictions
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41190 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41190
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), where the application fails to consistently enforce access control policies across all endpoints. When APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled in FreeScout, the application is designed to restrict conversation visibility so that users can only see conversations they are assigned to or have created. The direct conversation view endpoint properly enforces this restriction by blocking unauthorized access attempts.
However, the save_draft AJAX endpoint in the ConversationsController.php file contains weaker authorization logic. The original implementation included an additional permission check using hasManageMailboxPermission() with ACCESS_PERM_ASSIGNED, which inadvertently allowed users with general mailbox permissions to bypass the conversation-level access controls. This inconsistency means an attacker with valid application credentials could send a direct POST request to the save_draft endpoint and successfully create a draft within a conversation that would otherwise be hidden from them in the UI.
Root Cause
The root cause of this vulnerability is inconsistent authorization enforcement between the conversation view functionality and the draft saving functionality. The save_draft endpoint included an overly permissive fallback check that allowed users with ACCESS_PERM_ASSIGNED mailbox-level permissions to bypass conversation-specific access controls. This created a gap where the UI properly hid conversations from unauthorized users, but the backend API still accepted draft submissions for those same restricted conversations.
Attack Vector
This vulnerability is exploitable over the network by any authenticated user. The attacker requires low-level privileges (a valid FreeScout account) to exploit the vulnerability. The attack flow involves:
- Authenticating to the FreeScout application with valid credentials
- Identifying a target conversation ID (potentially through enumeration or social engineering)
- Sending a crafted POST request directly to the save_draft AJAX endpoint
- Including the target conversation_id and mailbox_id parameters with malicious draft content
- The draft is created in the target conversation, bypassing UI-level access restrictions
// Security patch in app/Http/Controllers/ConversationsController.php
// Source: https://github.com/freescout-help-desk/freescout/commit/414878eb79be7cb01a3ae124df6efcd23729275f
$new = true;
if (!$response['msg'] && !empty($request->conversation_id)) {
$conversation = Conversation::find($request->conversation_id);
- if ($conversation && !$user->can('view', $conversation) && !$user->hasManageMailboxPermission($request->mailbox_id, Mailbox::ACCESS_PERM_ASSIGNED)) {
+ if ($conversation && !$user->can('view', $conversation) /*&& !$user->hasManageMailboxPermission($request->mailbox_id, Mailbox::ACCESS_PERM_ASSIGNED)*/) {
$response['msg'] = __('Not enough permissions');
} else {
$new = false;
Source: GitHub Commit Details
The patch removes the secondary permission check hasManageMailboxPermission(), ensuring that the can('view', $conversation) policy check is the sole authorization gate for draft operations.
Detection Methods for CVE-2026-41190
Indicators of Compromise
- Unexpected draft entries appearing in conversations where the draft creator is not the assigned user or conversation creator
- POST requests to the save_draft AJAX endpoint with conversation_id parameters referencing restricted conversations
- Authentication logs showing users accessing conversation IDs outside their assigned scope
Detection Strategies
- Monitor web application logs for POST requests to draft endpoints containing conversation IDs the requesting user should not have access to
- Implement application-level audit logging for draft creation events, including the user ID, conversation ID, and assignment status
- Cross-reference draft creation events against conversation assignment records to identify unauthorized access patterns
Monitoring Recommendations
- Enable detailed access logging in FreeScout to track all conversation and draft operations
- Configure web application firewall (WAF) rules to flag suspicious patterns of conversation ID enumeration
- Establish baseline behavior for draft creation patterns and alert on anomalies such as users creating drafts across multiple unrelated conversations
How to Mitigate CVE-2026-41190
Immediate Actions Required
- Upgrade FreeScout to version 1.8.215 or later immediately
- Audit existing draft entries for any unauthorized content created by users who were not assigned to the respective conversations
- Review application logs for signs of exploitation attempts targeting the save_draft endpoint
- Consider temporarily disabling the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS feature if immediate patching is not possible
Patch Information
FreeScout version 1.8.215 addresses this vulnerability by removing the overly permissive hasManageMailboxPermission() check from the draft saving authorization logic. The fix ensures that only users who can legitimately view a conversation are permitted to create drafts within it.
- GitHub Release 1.8.215 - Official release containing the security fix
- GitHub Security Advisory GHSA-vj2p-2789-3747 - Vendor security advisory with additional details
- GitHub Commit Details - Specific commit implementing the fix
Workarounds
- If patching is not immediately possible, disable the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS setting to remove the bypass condition (note: this removes the feature entirely)
- Implement network-level access controls to restrict access to the FreeScout application to trusted users only
- Apply web application firewall rules to validate that draft creation requests only target conversations the authenticated user is assigned to
# Configuration example
# Disable the affected feature as a temporary workaround
# Edit your .env file and set:
APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS=false
# Restart the application to apply changes
php artisan config:cache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
