Skip to main content

FreeScout CVE-2026-48810

| EUVDEUVD-2026-33438 MEDIUM
Improper Authorization (CWE-285)
2026-05-29 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:38 vuln.today

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag - not current mailbox membership. This vulnerability is fixed in 1.8.221.

AnalysisAI

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Technical ContextAI

FreeScout is a PHP/Laravel open-source help desk and shared inbox platform. The vulnerable code resides in the ThreadPolicy authorization class, which Laravel uses to gate conversation thread operations. CWE-285 (Improper Authorization) describes the root cause: the edit policy evaluates two conditions - whether the requesting user is the original author of the thread and whether they hold the system-wide PERM_EDIT_CONVERSATIONS permission flag - but never verifies that the user currently belongs to the mailbox containing that thread. This is a classic broken object-level authorization (BOLA) pattern. The CPE cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* confirms all versions prior to 1.8.221 of the FreeScout application are affected. The flaw is structurally identical to a previously patched ThreadPolicy::delete issue, indicating the mailbox membership check was systematically omitted from multiple sibling policy methods.

RemediationAI

Upgrade FreeScout to version 1.8.221 or later, which introduces the missing mailbox membership check into the ThreadPolicy::edit method. The vendor-confirmed fix is documented in GitHub Security Advisory GHSA-3w38-h42v-3h6w at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w. As a compensating control prior to patching, administrators should audit all users holding the PERM_EDIT_CONVERSATIONS permission and remove that permission from any user who has been removed from one or more mailboxes. Note the trade-off: revoking PERM_EDIT_CONVERSATIONS globally will also block that user's edit access in any other mailboxes they still legitimately belong to. Alternatively, review and revoke access for all former mailbox members who still hold active accounts in the system. There is no known workaround that preserves the permission for current members while blocking it for removed members without upgrading to 1.8.221.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-48810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy