CVE-2026-48810
Thread Body Rewrite in FreeScout Help Desk
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.221 (exc) |
| freescout | freescout | to 1.8.221 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48810 is an authorization bypass vulnerability in FreeScout, a help desk software. It occurs because the ThreadPolicy::edit method does not verify if a user is currently a member of the mailbox before allowing them to edit a thread. Instead, it only checks if the user is the author and has a global permission flag (PERM_EDIT_CONVERSATIONS). This means that a user who created a message or internal note in a mailbox can still edit that thread's content even after being removed from the mailbox by an administrator.
An attacker can exploit this by first creating a reply or note in a conversation while still a mailbox member, then after being removed from the mailbox, use a crafted POST request with a valid session to silently modify the thread's body in the database without any user interface access. This allows unauthorized editing of prior replies and internal notes.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to silently modify the content of conversation threads in FreeScout after they have been removed from the mailbox. This undermines the integrity of the audit trail, as prior replies and internal notes can be rewritten without detection.
The impact is primarily on data integrity, as the vulnerability does not affect confidentiality or availability. However, the ability to alter conversation history can lead to misinformation, loss of trust, and potential misuse of the help desk records.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual POST requests that attempt to edit thread content in FreeScout, especially from users who have been removed from the mailbox but still hold the PERM_EDIT_CONVERSATIONS permission.
Specifically, detection involves identifying crafted POST requests targeting the thread editing endpoint with thread IDs that the user should no longer have access to.
Commands to assist detection could include inspecting web server logs or application logs for suspicious POST requests. For example, using grep to search for POST requests to the thread edit API endpoint:
- grep 'POST /api/thread/edit' /var/log/nginx/access.log
- grep 'thread_id=' /var/log/freescout/app.log
Additionally, monitoring user permissions and mailbox membership changes can help correlate if a user who was removed from a mailbox is still attempting to edit threads.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.221 or later, where the vulnerability has been fixed by adding mailbox membership checks in the ThreadPolicy::edit method.
Until the upgrade can be applied, restrict the PERM_EDIT_CONVERSATIONS permission to trusted users only and monitor for suspicious thread editing activity.
Additionally, review and audit mailbox membership changes to ensure that users removed from mailboxes cannot continue to edit threads.