Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48810

CVE-2026-48810: FreeScout Auth Bypass Vulnerability

CVE-2026-48810 is an authorization bypass flaw in FreeScout that allows users to edit threads after mailbox removal. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-48810 Overview

CVE-2026-48810 is a missing authorization vulnerability in FreeScout, a free help desk and shared inbox application built on PHP's Laravel framework. The flaw resides in the ThreadPolicy::edit method, which fails to verify current mailbox membership before authorizing thread edits. A user holding the PERM_EDIT_CONVERSATIONS permission who previously authored a message or internal note in a mailbox can continue rewriting that thread's body even after an administrator revokes their mailbox access. The policy validates only authorship and a global permission flag, ignoring the user's current mailbox membership state. FreeScout version 1.8.221 resolves the issue.

Critical Impact

Authenticated users removed from a mailbox retain the ability to edit threads they previously authored, enabling unauthorized post-removal content modification of historical help desk conversations.

Affected Products

  • FreeScout versions prior to 1.8.221
  • FreeScout help desk and shared inbox (Laravel framework)
  • Deployments granting the PERM_EDIT_CONVERSATIONS permission to non-administrative users

Discovery Timeline

  • 2026-05-29 - CVE-2026-48810 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-48810

Vulnerability Analysis

The vulnerability is an improper authorization flaw classified under [CWE-285]. FreeScout uses Laravel policy classes to gate access to conversation threads. The ThreadPolicy::edit method governs whether a user may modify the body of a message or internal note they previously authored.

The policy evaluates two conditions: the requesting user must be the original author of the thread, and the user must hold the global PERM_EDIT_CONVERSATIONS permission. The policy does not re-check whether the user remains a member of the mailbox containing the thread. This logic gap mirrors a previously reported issue in the sibling ThreadPolicy::delete method.

As a result, when an administrator removes a user from Mailbox A, the user's authorship of historical threads in that mailbox persists. Any subsequent edit request is authorized solely on the basis of authorship and the global flag, bypassing the intended mailbox-scoped access control.

Root Cause

The root cause is a missing mailbox membership check inside ThreadPolicy::edit. Authorization logic conflates a global edit permission with mailbox-specific access. The application treats authorship as a permanent grant, ignoring administrative actions that revoke mailbox membership after the thread was created.

Attack Vector

Exploitation requires an authenticated account that previously held the PERM_EDIT_CONVERSATIONS permission and authored at least one thread in the target mailbox. After the administrator removes the user from the mailbox, the user submits an edit request to the thread endpoint over the network. The policy returns an authorized decision, and the thread body is rewritten. No user interaction from other parties is required.

// Code example not available - see GitHub Security Advisory for technical details:
// https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w

Detection Methods for CVE-2026-48810

Indicators of Compromise

  • Thread edit events performed by user accounts that are no longer listed as members of the affected mailbox.
  • Modifications to message bodies or internal notes with timestamps occurring after the author's mailbox removal date.
  • HTTP requests to FreeScout thread edit endpoints originating from accounts whose mailbox assignments were recently revoked.

Detection Strategies

  • Correlate FreeScout audit logs of mailbox membership changes with subsequent thread edit events authored by the removed user.
  • Query the application database for thread updated_at timestamps that postdate the author's removal from the mailbox.
  • Review web server access logs for POST or PUT requests to conversation thread routes from users without current mailbox access.

Monitoring Recommendations

  • Enable verbose application logging for all conversation and thread modification actions, including the authoring user and target mailbox.
  • Alert on any thread edit activity by users whose mailbox permissions were modified within the prior 30 days.
  • Periodically audit thread modification history against current mailbox membership rosters to surface anomalies.

How to Mitigate CVE-2026-48810

Immediate Actions Required

  • Upgrade FreeScout to version 1.8.221 or later, which adds the missing mailbox membership check to ThreadPolicy::edit.
  • Audit recent thread edits to identify modifications performed by users after their mailbox removal.
  • Review which user accounts hold the PERM_EDIT_CONVERSATIONS permission and reduce its assignment where not strictly required.

Patch Information

The vulnerability is fixed in FreeScout 1.8.221. The patch adds a current mailbox membership check to the ThreadPolicy::edit method, aligning its authorization logic with the corrected ThreadPolicy::delete method. Refer to the GitHub Security Advisory GHSA-3w38-h42v-3h6w for advisory details.

Workarounds

  • Restrict assignment of the PERM_EDIT_CONVERSATIONS permission to administrators and trusted mailbox members only.
  • When removing a user from a mailbox, also revoke the PERM_EDIT_CONVERSATIONS global permission if no longer needed elsewhere.
  • Implement reverse-proxy or web application firewall rules that block thread edit routes for accounts pending offboarding review.
bash
# Upgrade FreeScout to the patched release
cd /var/www/freescout
php artisan freescout:update
php artisan --version
# Confirm FreeScout reports version 1.8.221 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne