CVE-2026-40592: CWE-862: Missing Authorization in freescout-help-desk freescout
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability.
AI Analysis
Technical Summary
FreeScout before version 1.8.214 contains a missing authorization vulnerability (CWE-862) in the undo-send route `GET /conversation/undo-reply/{thread_id}`. The route checks only if the current user can view the parent conversation but fails to verify if the user created the reply they attempt to undo. Consequently, in a shared mailbox environment, one agent can recall another agent's reply during the 15-second undo window, potentially disrupting message integrity. The vulnerability has a CVSS 3.1 base score of 5.9 (medium severity) and does not affect confidentiality but impacts integrity and availability to a limited extent. The issue is resolved in FreeScout version 1.8.214.
Potential Impact
The vulnerability allows an authenticated user with permission to view a conversation to undo replies sent by other users within a short time frame, potentially causing unauthorized alteration of message history in a shared mailbox. This impacts the integrity of communications but does not expose confidential data or allow privilege escalation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.214 or later, where this authorization flaw is fixed. Since this is a self-hosted product, administrators should apply the update promptly to prevent unauthorized undo actions among agents. No other mitigations are indicated by the vendor advisory.
CVE-2026-40592: CWE-862: Missing Authorization in freescout-help-desk freescout
Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FreeScout before version 1.8.214 contains a missing authorization vulnerability (CWE-862) in the undo-send route `GET /conversation/undo-reply/{thread_id}`. The route checks only if the current user can view the parent conversation but fails to verify if the user created the reply they attempt to undo. Consequently, in a shared mailbox environment, one agent can recall another agent's reply during the 15-second undo window, potentially disrupting message integrity. The vulnerability has a CVSS 3.1 base score of 5.9 (medium severity) and does not affect confidentiality but impacts integrity and availability to a limited extent. The issue is resolved in FreeScout version 1.8.214.
Potential Impact
The vulnerability allows an authenticated user with permission to view a conversation to undo replies sent by other users within a short time frame, potentially causing unauthorized alteration of message history in a shared mailbox. This impacts the integrity of communications but does not expose confidential data or allow privilege escalation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.214 or later, where this authorization flaw is fixed. Since this is a self-hosted product, administrators should apply the update promptly to prevent unauthorized undo actions among agents. No other mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-14T14:07:59.641Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7b0e619fe3cd2cde9a4cc
Added to database: 4/21/2026, 5:16:22 PM
Last enriched: 4/21/2026, 5:32:08 PM
Last updated: 4/22/2026, 6:08:42 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.