Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route GET /conversation/undo-reply/{thread_id} checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability.
AnalysisAI
FreeScout versions prior to 1.8.214 allow authenticated agents in shared mailboxes to recall another agent's reply within a 15-second undo window due to insufficient authorization checks on the undo-send endpoint. The vulnerability requires agent-level authentication and shared mailbox access but enables one user to suppress a colleague's outbound communication, affecting message integrity and audit trails in multi-agent help desk environments.
Technical ContextAI
FreeScout is a self-hosted help desk platform that supports shared mailbox functionality where multiple agents collaborate on customer conversations. The vulnerability exists in the undo-reply route (GET /conversation/undo-reply/{thread_id}) which implements authorization through a conversation-view permission check (CWE-862: Missing Authorization). This authorization model fails to distinguish between users who can view a conversation and users who authored a specific reply. In multi-agent environments, any agent with mailbox access can invoke the undo endpoint for any reply visible in that mailbox, regardless of authorship. The 15-second undo window creates a narrow but exploitable race condition during active support sessions.
RemediationAI
Upgrade FreeScout to version 1.8.214 or later immediately, which implements proper authorization checks to verify that the user invoking undo-reply is the original author of the reply being undone. If immediate upgrade is not possible, restrict agent access to the undo-reply endpoint via reverse proxy or web application firewall rules (e.g., block GET /conversation/undo-reply/ at network layer) - this disables undo functionality for all users until patch is applied but prevents cross-user reply suppression. Alternatively, enforce strict time-limited session management for help desk agents (15-second or shorter session re-authentication) to reduce the likelihood that an attacker maintains active session access during the undo window, though this is a compensating control with significant UX impact. Verify the fix via the commit https://github.com/freescout-help-desk/freescout/commit/c779afdda86fa00a4b85779e034bbfd9ce20c76d and official release tag 1.8.214.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24189