CVE-2026-40592

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.214

Description The undo-send route "/conversation/undo-reply/{thread id}" only verifies if the current user has permission to view the parent conversation. It fails to confirm that the user attempting the action is the one who created the reply. In a shared mailbox environment, this allows one agent to recall a reply sent by another agent within the 15-second undo window.

Recommendations Update to version 1.8.214.