Skip to main content

FreeScout CVE-2026-48811

| EUVDEUVD-2026-33437 MEDIUM
Missing Authorization (CWE-862)
2026-05-29 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:38 vuln.today

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.

AnalysisAI

FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.

Technical ContextAI

FreeScout is a self-hosted help desk application built on PHP's Laravel framework, using Laravel's policy-based authorization system to gate destructive actions. The affected component is ThreadPolicy::delete, a Laravel authorization policy that governs who may delete a thread (internal note). CWE-862 (Missing Authorization) applies here: the policy omits a critical mailbox-membership verification step, meaning the access control check is incomplete. The policy likely confirms that a user owns or created the note, but does not cross-check whether the user's association with the parent mailbox remains active. The affected CPE is cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:*, covering all versions prior to 1.8.221.

RemediationAI

The primary fix is to upgrade FreeScout to version 1.8.221 or later, which corrects the ThreadPolicy::delete authorization policy to include mailbox-membership verification. The vendor-released patch is confirmed at version 1.8.221 per the GitHub security advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6. As an immediate compensating control prior to patching, administrators should audit and fully revoke FreeScout user accounts (not just mailbox memberships) for any departed team members, since the flaw persists only when a former member's account remains active. Note that revoking mailbox access alone is insufficient as a workaround - the account itself must be disabled or deleted to fully block exploitation.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-48811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy