Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit(), which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability.
AnalysisAI
Authorization bypass in FreeScout allows low-privileged authenticated users to edit customer threads in conversations they cannot access. The ThreadPolicy::edit() method validates mailbox access but fails to enforce assigned-only conversation restrictions from ConversationPolicy, enabling unauthorized modification of customer communications with high integrity impact. Vendor patch released in version 1.8.215 with fix commit confirmed in GitHub advisory GHSA-4h5p-7f5c-q7gj. No public exploit identified at time of analysis, CVSS 7.1 (High) with low attack complexity indicates straightforward exploitation once authenticated.
Technical ContextAI
FreeScout is an open-source self-hosted help desk and shared mailbox application built on PHP/Laravel. The vulnerability stems from CWE-863 (Incorrect Authorization) in the policy enforcement layer. Laravel applications typically use policy classes to authorize resource access - FreeScout implements ThreadPolicy and ConversationPolicy separately. The flaw occurs because ThreadPolicy::edit() validates whether a user has mailbox-level access but does not inherit or check the assigned-only filtering logic from ConversationPolicy. This creates an inconsistent authorization boundary where conversation-level visibility restrictions (which may limit users to only their assigned tickets) are bypassed when directly editing thread resources. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation requiring only low-privileged authentication, with high integrity impact (I:H) from unauthorized thread modification and low confidentiality impact (C:L) from indirect data exposure through edit capabilities.
RemediationAI
Upgrade FreeScout to version 1.8.215 or later immediately, as confirmed by vendor release at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. The fix commit (cdadaf621bb1e1d017315df20d743671f7eae7a9) modifies ThreadPolicy to properly inherit conversation access restrictions, resolving the authorization bypass. For environments unable to upgrade immediately, implement compensating controls by restricting user account creation and auditing thread edit operations through application logs to detect unauthorized modifications. Review user permissions and consider temporarily elevating all users to full conversation access (eliminating assigned-only restrictions) if the authorization gap poses greater risk than broader access - this trades the vulnerability for intentional permission expansion with compensating audit controls. Database-level triggers could log thread edits with user context for forensic review, though this adds complexity and does not prevent exploitation. All compensating controls carry operational overhead and reduced security posture compared to applying the vendor patch.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24193