{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40592", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T14:07:59.641Z", "datePublished": "2026-04-21T16:57:33.146Z", "dateUpdated": "2026-04-21T19:10:40.989Z"}, "containers": {"cna": {"title": "FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.214", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:57:33.146Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability."}], "source": {"advisory": "GHSA-674v-r6xp-mvp6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:10:27.269388Z", "id": "CVE-2026-40592", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:10:40.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40592", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:10:27.269388Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:10:36.577Z"}}], "cna": {"title": "FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply", "source": {"advisory": "GHSA-674v-r6xp-mvp6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.214"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d", "name": "https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:57:33.146Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40592", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:10:40.989Z", "dateReserved": "2026-04-14T14:07:59.641Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:57:33.146Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability."}], "id": "CVE-2026-40592", "lastModified": "2026-04-22T21:10:14.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:57.087", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.214)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-21T22:36:24.423453+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.214 or later", "Configure role\u2011based permissions so that undo\u2011recall functionality is available only to the message originator", "Implement access controls or a web\u2011application firewall rule to block the undo\u2011reply endpoint for users who are not the message author"], "summary": {"action": "Apply Patch", "impact": "Unauthorized message recall by shared mailbox peers"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in FreeScout help\u2011desk versions prior to 1.8.214. All releases that include the shared mailbox feature and allow undo\u2011send operations are affected until the patch is applied. Update to FreeScout 1.8.214 or later to eliminate the flaw.", "description_and_impact": "FreeScout allows a user to send a GET request to the undo\u2011send endpoint for a conversation thread and, if the request is made within 15 seconds of sending a reply, the server will delete that reply. The access control check only verifies that the requester can view the parent conversation, not that the requester actually created the reply. This flaw, identified as CWE\u2011862, enables an agent in the same shared mailbox to recover another agent\u2019s outbound message, thereby compromising message integrity and availability.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity. The exploit is limited to agents who can view a conversation and must act within the 15\u2011second window, reducing the likelihood of successful attacks. No proof\u2011of\u2011concept exists in public advisories, and the vulnerability is not listed in the CISA KEV catalog. While the EPSS score is not available, the attack requires privileged access to the same mailbox, making exploitation less probable in environments with strict role segregation."}}}}, "created": "2026-04-21T18:45:05.905341+00:00", "updated": "2026-04-21T22:45:16.054188+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}