CVE-2026-48810 - Vulnerability Details

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag — not current mailbox membership. This vulnerability is fixed in 1.8.221.

Published: 2026-05-29

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the thread editing policy of FreeScout, a PHP‑based help desk system. It allows a user who once had the PERM_EDIT_CONVERSATIONS permission to edit a thread’s body even after the user has been removed from the mailbox that owns the conversation. The policy failure is due to an absent check for current mailbox membership; only authorship and a global permission flag are examined. This means an attacker with a legitimate editing privilege can modify existing discussions, potentially corrupting information or injecting false content in a thread that should no longer be modifiable.

Affected Systems

Vulnerable releases of the FreeScout help‑desk and shared‑inbox platform prior to 1.8.221 are affected. The issue was identified in the "freescout-help-desk:freescout" product line.

Risk and Exploitability

The CVSS rating of 4.3 places the flaw in the medium range, and there is no EPSS data available. It is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The attacker must already possess the PERM_EDIT_CONVERSATIONS permission, which is a privileged account; thus the exploitation requires an account with this permission and the ability to point the edit request at a thread whose mailbox membership has been revoked. The flaw does not enable remote code execution or elevate to system‑wide privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

freescout-help-desk

freescout

affected

Version	Status	Constraints
`< 1.8.221`	affected	—

No data.

Vendor Product Confidence Versions

Freescout Helpdesk

Freescout

98%

Version	Status	Scheme	Platform
`[0,1.8.221)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeScout to version 1.8.221 or later to remove the missing mailbox membership check.
Revoke or limit the PERM_EDIT_CONVERSATIONS permission to only trusted or administrators, ensuring that users who are no longer members of a mailbox cannot edit its threads.
Audit mailbox membership configurations and verify that all users have consistent mailbox associations before granting edit capabilities.

Generated by OpenCVE AI on May 29, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w

History

Fri, 29 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freescout Helpdesk Freescout Helpdesk freescout
Vendors & Products		Freescout Helpdesk Freescout Helpdesk freescout

Fri, 29 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag — not current mailbox membership. This vulnerability is fixed in 1.8.221.
Title		FreeScout: Thread Edit Authorization Bypass via Missing Mailbox Check
Weaknesses		CWE-285
References		https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Freescout Helpdesk Freescout

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T19:48:38.815Z

Updated: 2026-05-29T19:48:38.815Z

Reserved: 2026-05-22T20:57:10.976Z

Link: CVE-2026-48810

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-29T20:16:29.083

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-48810

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object