Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag - not current mailbox membership. This vulnerability is fixed in 1.8.221.
AnalysisAI
Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.
Technical ContextAI
FreeScout is a PHP/Laravel open-source help desk and shared inbox platform. The vulnerable code resides in the ThreadPolicy authorization class, which Laravel uses to gate conversation thread operations. CWE-285 (Improper Authorization) describes the root cause: the edit policy evaluates two conditions - whether the requesting user is the original author of the thread and whether they hold the system-wide PERM_EDIT_CONVERSATIONS permission flag - but never verifies that the user currently belongs to the mailbox containing that thread. This is a classic broken object-level authorization (BOLA) pattern. The CPE cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* confirms all versions prior to 1.8.221 of the FreeScout application are affected. The flaw is structurally identical to a previously patched ThreadPolicy::delete issue, indicating the mailbox membership check was systematically omitted from multiple sibling policy methods.
RemediationAI
Upgrade FreeScout to version 1.8.221 or later, which introduces the missing mailbox membership check into the ThreadPolicy::edit method. The vendor-confirmed fix is documented in GitHub Security Advisory GHSA-3w38-h42v-3h6w at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w. As a compensating control prior to patching, administrators should audit all users holding the PERM_EDIT_CONVERSATIONS permission and remove that permission from any user who has been removed from one or more mailboxes. Note the trade-off: revoking PERM_EDIT_CONVERSATIONS globally will also block that user's edit access in any other mailboxes they still legitimately belong to. Alternatively, review and revoke access for all former mailbox members who still hold active accounts in the system. There is no known workaround that preserves the permission for current members while blocking it for removed members without upgrading to 1.8.221.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33438