CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-3999 (GCVE-0-2026-3999)
Vulnerability from cvelistv5 – Published: 2026-03-13 08:38 – Updated: 2026-03-16 11:27
VLAI
Title
Broken access control vulnerability affecting ID Server
Summary
A broken access control may allow an authenticated user to perform a
horizontal privilege escalation. The vulnerability only impacts specific
configurations.
Severity
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.pointsharp.com/psa/advisories/psa-20… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Pointsharp | ID Server |
Affected:
0 , < 9.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:04:52.787757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:04:58.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ID Server",
"vendor": "Pointsharp",
"versions": [
{
"lessThan": "9.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Reema AlQahtani, Haboob Cybersecurity Services"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\u003cp\u003eA broken access control may allow an authenticated user to perform a \nhorizontal privilege escalation. The vulnerability only impacts specific\n configurations.\u003c/p\u003e\n\u003c/div\u003e"
}
],
"value": "A broken access control may allow an authenticated user to perform a \nhorizontal privilege escalation. The vulnerability only impacts specific\n configurations."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T11:27:05.956Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.pointsharp.com/psa/advisories/psa-2026-001.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Broken access control vulnerability affecting ID Server",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2026-3999",
"datePublished": "2026-03-13T08:38:59.468Z",
"dateReserved": "2026-03-11T17:52:20.020Z",
"dateUpdated": "2026-03-16T11:27:05.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40043 (GCVE-0-2026-40043)
Vulnerability from cvelistv5 – Published: 2026-04-13 18:11 – Updated: 2026-04-13 20:49
VLAI
Title
Pachno 1.0.6 Authentication Bypass via runSwitchUser()
Summary
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | third-party-advisory |
| https://www.vulncheck.com/advisories/pachno-authe… | third-party-advisory |
Date Public
2026-04-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40043",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T20:49:56.370304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:49:59.051Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.zeroscience.mk/#/advisories/ZSL-2026-5985"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pachno",
"vendor": "pancho",
"versions": [
{
"status": "affected",
"version": "1.0.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pachno:pachno:1.0.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
}
],
"datePublic": "2026-04-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:11:00.288Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Zero Science Lab Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.php"
},
{
"name": "VulnCheck Advisory: Pachno 1.0.6 Authentication Bypass via runSwitchUser()",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchuser"
}
],
"title": "Pachno 1.0.6 Authentication Bypass via runSwitchUser()",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-40043",
"datePublished": "2026-04-13T18:11:00.288Z",
"dateReserved": "2026-04-08T13:39:22.100Z",
"dateUpdated": "2026-04-13T20:49:59.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40127 (GCVE-0-2026-40127)
Vulnerability from cvelistv5 – Published: 2026-05-25 10:18 – Updated: 2026-05-26 15:20
VLAI
Title
Authorization Bypass Through User-Controlled Key in OutSystems Lifetime
Summary
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application.
This issue was fixed in OutSystems Lifetime version 11.28.2.3955
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/05/CVE-2026-40126/ | third-party-advisory |
| https://www.outsystems.com/downloads/ScreenDetail… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OutSystems | Lifetime |
Affected:
0 , < 11.28.2.3955
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:11:49.294978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:20:07.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Lifetime",
"vendor": "OutSystems",
"versions": [
{
"lessThan": "11.28.2.3955",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zbigniew Piotrak (AFINE Team)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOutSystems Lifetime is vulnerable to A\u003c/span\u003euthorization Bypass Through User-Controlled Key vulnerability in \u003ci\u003eApplicationID\u003c/i\u003e parameter. Any authenticated user, can\u0026nbsp;read the Change Log containing actions performed by other users as well as application name of any application.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in OutSystems Lifetime version\u0026nbsp;11.28.2.3955\u003cbr\u003e"
}
],
"value": "OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can\u00a0read the Change Log containing actions performed by other users as well as application name of any application.\n\nThis issue was fixed in OutSystems Lifetime version\u00a011.28.2.3955"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T10:18:05.904Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/05/CVE-2026-40126/"
},
{
"tags": [
"product"
],
"url": "https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953\u0026MajorVersion=11\u0026ComponentName=LifeTime"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in OutSystems Lifetime",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-40127",
"datePublished": "2026-05-25T10:18:05.904Z",
"dateReserved": "2026-04-09T10:15:00.973Z",
"dateUpdated": "2026-05-26T15:20:07.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40252 (GCVE-0-2026-40252)
Vulnerability from cvelistv5 – Published: 2026-04-10 20:52 – Updated: 2026-04-13 16:14
VLAI
Title
Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT
Summary
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.
Severity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T16:14:17.130465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T16:14:30.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.10.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:52:15.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.10.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.10.4"
}
],
"source": {
"advisory": "GHSA-gc8m-w37w-24hw",
"discovery": "UNKNOWN"
},
"title": "Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40252",
"datePublished": "2026-04-10T20:52:15.218Z",
"dateReserved": "2026-04-10T17:31:45.786Z",
"dateUpdated": "2026-04-13T16:14:30.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40308 (GCVE-0-2026-40308)
Vulnerability from cvelistv5 – Published: 2026-04-16 21:30 – Updated: 2026-04-17 12:32
VLAI
Title
My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
Summary
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/joedolson/my-calendar/security… | x_refsource_CONFIRM |
| https://github.com/joedolson/my-calendar/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| joedolson | my-calendar |
Affected:
< 3.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T12:32:21.737938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T12:32:26.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "my-calendar",
"vendor": "joedolson",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T21:30:52.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
},
{
"name": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/joedolson/my-calendar/releases/tag/v3.7.7"
}
],
"source": {
"advisory": "GHSA-2mvx-f5qm-v2ch",
"discovery": "UNKNOWN"
},
"title": "My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40308",
"datePublished": "2026-04-16T21:30:52.401Z",
"dateReserved": "2026-04-10T21:41:54.504Z",
"dateUpdated": "2026-04-17T12:32:26.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40480 (GCVE-0-2026-40480)
Vulnerability from cvelistv5 – Published: 2026-04-17 23:07 – Updated: 2026-04-20 16:16
VLAI
Title
ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`
Summary
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ChurchCRM/CRM/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ChurchCRM/CRM/issues/8617 | x_refsource_MISC |
| https://github.com/ChurchCRM/CRM/pull/8616 | x_refsource_MISC |
| https://github.com/ChurchCRM/CRM/commit/28ea7a296… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40480",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:15:56.128986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:16:00.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRM",
"vendor": "ChurchCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members\u0027 records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T23:07:30.126Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"
},
{
"name": "https://github.com/ChurchCRM/CRM/issues/8617",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChurchCRM/CRM/issues/8617"
},
{
"name": "https://github.com/ChurchCRM/CRM/pull/8616",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChurchCRM/CRM/pull/8616"
},
{
"name": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2"
}
],
"source": {
"advisory": "GHSA-5w59-32c8-933v",
"discovery": "UNKNOWN"
},
"title": "ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40480",
"datePublished": "2026-04-17T23:07:30.126Z",
"dateReserved": "2026-04-13T19:50:42.114Z",
"dateUpdated": "2026-04-20T16:16:00.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40570 (GCVE-0-2026-40570)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:48 – Updated: 2026-04-21 19:11
VLAI
Title
FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.213
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40570",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:11:31.685464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:11:51.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.213"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:48:08.260Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/f35b4249c72d9bdac6ab1ea4e288f5894be34057",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/f35b4249c72d9bdac6ab1ea4e288f5894be34057"
},
{
"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"
}
],
"source": {
"advisory": "GHSA-w77q-wjfp-c822",
"discovery": "UNKNOWN"
},
"title": "FreeScout\u0027s Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40570",
"datePublished": "2026-04-21T16:48:08.260Z",
"dateReserved": "2026-04-14T13:24:29.474Z",
"dateUpdated": "2026-04-21T19:11:51.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40589 (GCVE-0-2026-40589)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:50 – Updated: 2026-04-21 20:37
VLAI
Title
FreeScout has Customer Edit Cross-Mailbox Email Takeover
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue.
Severity
7.6 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.214
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40589",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T20:17:25.465302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:37:22.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.214"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer\u2019s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:50:22.119Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/2e2fe37111d92ac665b9ad8806eac94a1a3e502c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/2e2fe37111d92ac665b9ad8806eac94a1a3e502c"
},
{
"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"
}
],
"source": {
"advisory": "GHSA-mv55-3mgv-fxwr",
"discovery": "UNKNOWN"
},
"title": "FreeScout has Customer Edit Cross-Mailbox Email Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40589",
"datePublished": "2026-04-21T16:50:22.119Z",
"dateReserved": "2026-04-14T13:24:29.476Z",
"dateUpdated": "2026-04-21T20:37:22.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40590 (GCVE-0-2026-40590)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:52 – Updated: 2026-04-21 17:39
VLAI
Title
FreeScout's Customer AJAX Create Modifies Hidden Existing Customer
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.214
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40590",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T17:39:00.189870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:39:21.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.214"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a \u201cCreate a new customer\u201d flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:52:27.992Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/b3d7611e6e173ed8a5e525b791deb6b32cf1ce62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/b3d7611e6e173ed8a5e525b791deb6b32cf1ce62"
},
{
"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"
}
],
"source": {
"advisory": "GHSA-wjw4-8xg6-342m",
"discovery": "UNKNOWN"
},
"title": "FreeScout\u0027s Customer AJAX Create Modifies Hidden Existing Customer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40590",
"datePublished": "2026-04-21T16:52:27.992Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-04-21T17:39:21.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40591 (GCVE-0-2026-40591)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:54 – Updated: 2026-04-21 17:46
VLAI
Title
FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability.
Severity
7.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.214
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40591",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T17:46:34.226416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:46:38.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.214"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can create a phone conversation in Mailbox A can bind the new Mailbox A phone conversation to a hidden customer from Mailbox B and add a new alias email to that hidden customer record by supplying `to_email`. Version 1.8.214 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:54:14.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/83eea1ca47d97c6cdc90c501734bc2579b014a34"
},
{
"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214"
}
],
"source": {
"advisory": "GHSA-9ff4-mmhv-x6jp",
"discovery": "UNKNOWN"
},
"title": "FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40591",
"datePublished": "2026-04-21T16:54:14.113Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-04-21T17:46:38.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.