CVE-2026-40570

🗓️ 21 Apr 2026 16:48:08Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 8 Views🌐 WEB

CVE-2026-40570: FreeScout exposed customer data to any authenticated user via load_customer_info before 1.8.213.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-40570	21 Apr 202616:48	–	attackerkb
CNNVD	FreeScout 安全漏洞	21 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII	21 Apr 202616:48	–	cvelist
EUVD	EUVD-2026-24173	21 Apr 202616:48	–	euvd
NVD	CVE-2026-40570	21 Apr 202617:16	–	nvd
Positive Technologies	PT-2026-34020	21 Apr 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII	21 Apr 202616:48	–	vulnrichment

Vulners

Node

freescout-help-desk freescoutRange<1.8.213

[
  {
    "vendor": "freescout-help-desk",
    "product": "freescout",
    "versions": [
      {
        "version": "< 1.8.213",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/freescout-help-desk/freescout/releases/tag/1.8.213
github	www.github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822
github	www.github.com/freescout-help-desk/freescout/commit/f35b4249c72d9bdac6ab1ea4e288f5894be34057

Parameter	Position	Path	Description	CWE
load_customer_info	request body	/conversation/ajax	Endpoint allows authenticated users to retrieve complete customer profile data by providing an email without mailbox access verification (vulnerability fixed in 1.8.213).	CWE-862, CWE-639
email	request body	/conversation/ajax	Endpoint allows authenticated users to retrieve complete customer profile data by providing an email without mailbox access verification (vulnerability fixed in 1.8.213).	CWE-862, CWE-639

22 Apr 2026 21:10Current

5.8Medium risk

Vulners AI Score5.8

CVSS 47.1

EPSS0.00047

SSVC