CVE-2026-41192 HIGH

CVE-2026-41192: FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments

Vendor Freescout-Help-Desk
Product freescout
Weakness CWE-862 · Missing authorization
Published April 21, 2026
Last update April 21, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-38774 WordPress Security Optimizer plugin <= 1.5.0 - Broken Access Control vulnerability CVE-2026-33137 XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} CVE-2023-0717 Wicked Folders <= 2.18.16 - Missing Authorization via ajax_delete_folder CVE-2023-2494 Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Missing Authorization to Limited Privilege Granting CVE-2026-27792 Seerr missing authentication on pushSubscription endpoints