CVE-2026-48810
Deferred Deferred - Pending Action
Thread Body Rewrite in FreeScout Help Desk

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag β€” not current mailbox membership. This vulnerability is fixed in 1.8.221.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-48810
EUVD
EUVD-2026-33438
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freescout freescout to 1.8.221 (exc)
freescout freescout to 1.8.221 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48810 is an authorization bypass vulnerability in FreeScout, a help desk software. It occurs because the ThreadPolicy::edit method does not verify if a user is currently a member of the mailbox before allowing them to edit a thread. Instead, it only checks if the user is the author and has a global permission flag (PERM_EDIT_CONVERSATIONS). This means that a user who created a message or internal note in a mailbox can still edit that thread's content even after being removed from the mailbox by an administrator.

An attacker can exploit this by first creating a reply or note in a conversation while still a mailbox member, then after being removed from the mailbox, use a crafted POST request with a valid session to silently modify the thread's body in the database without any user interface access. This allows unauthorized editing of prior replies and internal notes.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to silently modify the content of conversation threads in FreeScout after they have been removed from the mailbox. This undermines the integrity of the audit trail, as prior replies and internal notes can be rewritten without detection.

The impact is primarily on data integrity, as the vulnerability does not affect confidentiality or availability. However, the ability to alter conversation history can lead to misinformation, loss of trust, and potential misuse of the help desk records.

Detection Guidance

This vulnerability can be detected by monitoring for unusual POST requests that attempt to edit thread content in FreeScout, especially from users who have been removed from the mailbox but still hold the PERM_EDIT_CONVERSATIONS permission.

Specifically, detection involves identifying crafted POST requests targeting the thread editing endpoint with thread IDs that the user should no longer have access to.

Commands to assist detection could include inspecting web server logs or application logs for suspicious POST requests. For example, using grep to search for POST requests to the thread edit API endpoint:

  • grep 'POST /api/thread/edit' /var/log/nginx/access.log
  • grep 'thread_id=' /var/log/freescout/app.log

Additionally, monitoring user permissions and mailbox membership changes can help correlate if a user who was removed from a mailbox is still attempting to edit threads.

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.221 or later, where the vulnerability has been fixed by adding mailbox membership checks in the ThreadPolicy::edit method.

Until the upgrade can be applied, restrict the PERM_EDIT_CONVERSATIONS permission to trusted users only and monitor for suspicious thread editing activity.

Additionally, review and audit mailbox membership changes to ensure that users removed from mailboxes cannot continue to edit threads.

Compliance Impact

This vulnerability allows a user to silently modify prior replies and internal notes in a help desk system without proper authorization checks, posing an audit-trail integrity risk.

Such unauthorized modifications can undermine the integrity and reliability of records, which are critical for compliance with standards and regulations like GDPR and HIPAA that require accurate and tamper-evident audit trails.

Therefore, this vulnerability could negatively impact compliance by allowing unauthorized data alterations that violate data integrity and accountability requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart