CVE-2026-48811
Unauthorized Permanent Deletion of Internal Notes in FreeScout
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.221 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48811 is a vulnerability in FreeScout, a help desk application, where non-admin users can permanently delete internal notes (private threads) from any conversation even after their access to the mailbox containing that conversation has been revoked.
This happens because the authorization policy `ThreadPolicy::delete` only checks if the user created the note but does not verify if the user still has access to the mailbox. As a result, former team members retain destructive write access to notes they created.
An attacker with a valid session cookie and CSRF token can exploit this by sending a crafted POST request to the `/conversation/ajax` endpoint with parameters to delete a note they previously created, even after being removed from the mailbox.
How can this vulnerability impact me? :
This vulnerability can lead to permanent deletion of sensitive internal notes, which may include important audit trails or private communications within the help desk system.
Such deletion can result in tampering with audit trails, loss of critical information, and potential disruption of internal processes that rely on these notes.
Because the attack requires only low privileges and low attack complexity, it poses a moderate risk to organizations using vulnerable versions of FreeScout.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /conversation/ajax endpoint with parameters indicating an attempt to delete internal notes (action=delete_thread) along with the note's thread ID.
Specifically, detection involves checking for non-admin users sending crafted POST requests to delete notes they previously created, especially after their mailbox access has been revoked.
You can use network monitoring tools or web server logs to identify such requests.
- Use command-line tools like grep or awk on web server logs to find POST requests to /conversation/ajax with action=delete_thread.
- Example command: grep 'POST /conversation/ajax' /var/log/apache2/access.log | grep 'action=delete_thread'
- Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on such suspicious requests.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.221 or later, where the vulnerability is fixed by adding mailbox membership verification in the ThreadPolicy::delete authorization method.
Until the upgrade can be applied, restrict non-admin user access and monitor for suspicious deletion requests as a temporary measure.
Additionally, review and limit user permissions to prevent revoked users from retaining destructive write access.