CVE-2026-48811
MEDIUMFreeScout: Thread Deletion Bypasses Mailbox Access Revocation
Title source: cnaDescription
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6
Scores
CVSS v3
4.3
EPSS
0.0015
EPSS Percentile
5.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
freescout-help-desk/freescout
< 1.8.221
Published
May 29, 2026
Tracked Since
May 30, 2026