FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit(), which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41189.json",
"cwe_ids": [
"CWE-863"
],
"cna_assigner": "GitHub_M"
}