CVE-2026-41903: CWE-863: Incorrect Authorization in freescout-help-desk freescout
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass — the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217.
AI Analysis
Technical Summary
CVE-2026-41903 is an incorrect authorization vulnerability (CWE-863) in FreeScout, a PHP Laravel-based help desk application. Users with the PERM_EDIT_USERS permission, intended for general user-profile editing, can exploit this flaw to read and modify notification subscriptions of any user, including admins, by sending a crafted POST request. This can result in disabling critical notifications for administrators, such as email, browser, or mobile alerts. The vulnerability affects FreeScout versions prior to 1.8.217 and was introduced as a sibling issue to CVE-2025-48472, where a prior fix did not cover this code path. The vulnerability has been patched in version 1.8.217.
Potential Impact
An attacker with limited privileges (PERM_EDIT_USERS) can silently disable notification subscriptions for administrators, potentially suppressing security alerts and conversation-assignment notices. This can reduce the visibility of important events to administrators, increasing the risk of unnoticed security incidents or operational issues. There is no direct confidentiality impact, but integrity and availability of notifications are affected.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.217 or later, where this vulnerability has been patched. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated but the description confirms the issue is fixed in 1.8.217.
CVE-2026-41903: CWE-863: Incorrect Authorization in freescout-help-desk freescout
Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass — the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41903 is an incorrect authorization vulnerability (CWE-863) in FreeScout, a PHP Laravel-based help desk application. Users with the PERM_EDIT_USERS permission, intended for general user-profile editing, can exploit this flaw to read and modify notification subscriptions of any user, including admins, by sending a crafted POST request. This can result in disabling critical notifications for administrators, such as email, browser, or mobile alerts. The vulnerability affects FreeScout versions prior to 1.8.217 and was introduced as a sibling issue to CVE-2025-48472, where a prior fix did not cover this code path. The vulnerability has been patched in version 1.8.217.
Potential Impact
An attacker with limited privileges (PERM_EDIT_USERS) can silently disable notification subscriptions for administrators, potentially suppressing security alerts and conversation-assignment notices. This can reduce the visibility of important events to administrators, increasing the risk of unnoticed security incidents or operational issues. There is no direct confidentiality impact, but integrity and availability of notifications are affected.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.217 or later, where this vulnerability has been patched. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated but the description confirms the issue is fixed in 1.8.217.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fcdf2dcbff5d86101f12dc
Added to database: 5/7/2026, 6:51:25 PM
Last enriched: 5/7/2026, 7:07:43 PM
Last updated: 5/8/2026, 9:57:27 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.