{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41183", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.526Z", "datePublished": "2026-04-21T17:00:39.033Z", "dateUpdated": "2026-04-21T20:37:11.192Z"}, "containers": {"cna": {"title": "FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/6583d6f5a593b51223904f9e0f2e721e63c76de0", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/6583d6f5a593b51223904f9e0f2e721e63c76de0"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.215", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:00:39.033Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability."}], "source": {"advisory": "GHSA-7rh8-9rgv-g35r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:00:51.290563Z", "id": "CVE-2026-41183", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:11.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41183", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:00:51.290563Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:01:03.594Z"}}], "cna": {"title": "FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations", "source": {"advisory": "GHSA-7rh8-9rgv-g35r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.215"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/6583d6f5a593b51223904f9e0f2e721e63c76de0", "name": "https://github.com/freescout-help-desk/freescout/commit/6583d6f5a593b51223904f9e0f2e721e63c76de0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:00:39.033Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41183", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:11.192Z", "dateReserved": "2026-04-17T16:34:45.526Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:00:39.033Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder query builders. Global search and the AJAX filter path still reveal conversations that should be hidden. Version 1.8.215 fixes the vulnerability."}], "id": "CVE-2026-41183", "lastModified": "2026-04-22T21:10:14.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:57.227", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/6583d6f5a593b51223904f9e0f2e721e63c76de0"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.215)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-22T03:02:48.344422+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.215 or later to restore the assigned\u2011only restriction on all query paths.", "Verify that the assigned\u2011only restriction is active for global search and AJAX filter endpoints, ensuring hidden conversations are no longer returned.", "Review and audit user access logs to detect any unauthorized exposure of hidden conversations and remediate improper permissions."], "summary": {"action": "Patch", "impact": "Confidentiality Disclosure"}, "threat_synthesis": {"affected_systems": "Products impacted are FreeScout, the free self\u2011hosted help desk and shared mailbox solution, specifically versions prior to 1.8.215. Users deploying versions below this target are vulnerable.", "description_and_impact": "The vulnerability permits non\u2011folder conversations to reveal messages that are intended to be hidden only for assigned users. This leads to unauthorized disclosure of private chat records, affecting confidentiality of support interactions. The weakness is a misapplied confidentiality restriction attributable to CWE\u2011200.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium severity. Exploitation requires ability to query non\u2011folder conversation lists, which is typically available to authenticated users. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers can target the global search or AJAX filter paths to retrieve hidden conversations, thereby knowledge that should be restricted. The likely attack vector is inferred from the provided description, as the vulnerability statement specifies global search and AJAX filter paths."}}}}, "created": "2026-04-21T19:45:15.880912+00:00", "updated": "2026-04-22T03:15:06.405900+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}