FreeScout CVE-2026-48810: Unauthorized Message Editing After Mailbox Removal
FreeScout, a free help desk platform built on Laravel, contains an authorization flaw in version 1.8.220 and earlier. A user with conversation editing permissions who authored a message in one mailbox can edit that message's content even after an administrator removes them from that mailbox. The vulnerability exploits a gap in access controls: the system verifies the user created the message and has the global edit permission, but fails to confirm the user still belongs to the mailbox where the conversation lives. This allows former mailbox members to alter thread history and potentially mislead team members or customers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag — not current mailbox membership. This vulnerability is fixed in 1.8.221.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The ThreadPolicy::edit method in FreeScout lacks a mailbox membership validation check. While the parallel ThreadPolicy::delete method was patched for the same issue, the edit pathway remained vulnerable. Users holding PERM_EDIT_CONVERSATIONS can modify message bodies if they authored them, but the policy enforcer does not verify current mailbox association. The vulnerability is rooted in CWE-285 (Improper Authorization), where permission checks are incomplete. The attack surface is limited to authenticated users with the specific permission and prior authorship of a message, but the timing window—between message creation and administrator role removal—creates an exploitable scenario in multi-tenant or team-based deployments.
Business impact
The integrity of help desk conversations and internal notes is compromised. A departing employee or compromised account could alter or erase the historical record of customer interactions, internal discussions, or ticket details without audit visibility (depending on FreeScout's logging). This undermines compliance with record-retention policies, customer communication audits, and incident investigation trails. In customer-facing deployments, it can damage trust and create potential liability if communication history is altered without detection. The impact is mitigated by the requirement for prior authorship and specific permissions, but the ability to edit after removal represents a control bypass.
Affected systems
FreeScout versions up to and including 1.8.220 are vulnerable. The platform is self-hosted, so exposure depends on deployment scope: small teams using FreeScout internally, managed service providers offering FreeScout as a platform, and organizations running shared inbox or help desk instances. The vulnerability requires an authenticated user with PERM_EDIT_CONVERSATIONS permission, limiting the risk to authorized personnel or compromised accounts with that role.
Exploitability
Exploitability is low to moderate. An attacker must be an authenticated user with PERM_EDIT_CONVERSATIONS permission and must have authored the target message before losing mailbox access. The attack is not remote in the sense of requiring external network exploitation—it is a logic bypass available to a legitimate user with partial permissions. No user interaction (UI:N per CVSS) is required once preconditions are met. The window of opportunity is bounded by the time between message creation and permission revocation. CVSS 4.3 (MEDIUM) reflects low attack complexity and low privilege requirements, offset by limited scope of impact (conversation integrity only, no system compromise, no data confidentiality loss).
Remediation
Upgrade FreeScout to version 1.8.221 or later. The patched version restores the mailbox membership check to the ThreadPolicy::edit method, ensuring that users cannot edit messages in mailboxes from which they have been removed, regardless of prior authorship or global permission flags. Organizations should prioritize this patch if they manage user roles dynamically or have high offboarding velocity.
Patch guidance
Apply FreeScout version 1.8.221 as soon as practical. The patch is a targeted authorization fix with minimal surface area, so regression risk is low. Test the update in a staging environment to verify conversation editing and mailbox access controls behave as expected. If your deployment uses role-based access controls to remove users from mailboxes during offboarding, this patch is critical to enforce that policy. Check release notes at the FreeScout repository or official advisory for any breaking changes or prerequisite steps.
Detection guidance
Monitor FreeScout application logs for edit actions on messages in mailboxes where the editor is no longer a member. Correlate message edit timestamps with user mailbox membership changes. If possible, enable detailed audit logging for ThreadPolicy operations. Search for edit events by users shortly after their removal from a mailbox—this pattern indicates potential exploitation. Database queries against conversation version history or audit tables can reveal unauthorized modifications. Organizations using SIEM integration should flag edit operations by recently deprovisioned users as suspicious.
Why prioritize this
This vulnerability is moderate priority. While CVSS 4.3 reflects low-to-medium risk, the issue affects data integrity and audit trails, which are critical for compliance (SOC 2, HIPAA, GDPR). Organizations with strict change-control or conversation-audit requirements should patch promptly. The fix is low-risk and can be deployed quickly. Conversely, small teams with infrequent role changes and low sensitivity to conversation tampering may defer patching, but should not leave it unaddressed indefinitely.
Risk score, explained
The CVSS 4.3 MEDIUM score reflects: (1) Network-accessible attack vector typical of web applications, (2) Low attack complexity with no special tools or conditions required, (3) Low privilege bar—any user with PERM_EDIT_CONVERSATIONS qualifies, (4) No user interaction needed, (5) No confidentiality impact, (6) Low integrity impact limited to message bodies in authorized mailboxes, (7) No availability impact. The score does not capture organizational context: businesses that heavily audit or legally retain conversation history face greater real-world impact than those that do not. The bounded scope (authenticated users, prior authorship, no system-wide data breach) prevents a higher score despite the authorization bypass nature.
Frequently asked questions
Can a user edit messages they did not author?
No. The vulnerability only allows editing of messages the attacker authored. The policy still enforces authorship; it simply fails to re-check mailbox membership after the user is removed from the mailbox.
Does this vulnerability allow access to other mailboxes or sensitive data?
No. The attack is narrowly scoped to editing the body text of messages already visible to the attacker. There is no elevation of privilege to view other mailboxes, no data exfiltration, and no system compromise. It is an integrity issue, not a confidentiality breach.
Do we need to rotate credentials or assume account compromise?
Not automatically. The vulnerability is a logic flaw in access control, not a credential leak or authentication bypass. However, if you detect suspicious edit activity after user removal, investigate whether the account was legitimately compromised or if the user deliberately exploited the window before formal revocation.
Will upgrading to 1.8.221 break our workflows?
Unlikely. The patch adds a missing authorization check; it does not alter the intended editing workflow for active mailbox members. Users with current mailbox membership and PERM_EDIT_CONVERSATIONS will continue to edit messages normally. The patch only blocks the unintended scenario of editing after removal.
This analysis is based on the public CVE record and FreeScout vendor advisory as of June 2026. SEC.co provides this explainer for informational and risk-assessment purposes. Organizations should verify patch availability, compatibility, and testing procedures against official vendor documentation before deployment. CVSS scores and severity ratings reflect industry-standard calculations but should be contextualized to your environment, data sensitivity, and regulatory obligations. This advisory does not constitute legal advice or a guarantee of security. Consult your security team and vendor support for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel