CVE-2026-48811: FreeScout Authorization Bypass – Unauthorized Thread Deletion
FreeScout, an open-source helpdesk and shared inbox platform, contains a flaw that allows former team members to permanently delete internal notes—even after their access to the mailbox has been revoked. A non-admin user who previously created private threads in a conversation can return and destroy those notes without authorization, because the system fails to verify whether the user still belongs to the mailbox. This affects FreeScout versions before 1.8.221.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in FreeScout's ThreadPolicy::delete authorization policy, which governs deletion of internal notes (private threads). The policy enforces insufficient access checks: it does not validate current mailbox membership before permitting deletion. An authenticated user can craft delete requests for threads they authored, and the authorization check will pass even if that user has been removed from the mailbox. This is a classic authorization bypass rooted in incomplete policy logic (CWE-862: Missing Authorization). The flaw requires network access and valid credentials, but the credentials need only have been valid at some point—revocation is not properly enforced at deletion time.
Business impact
An organization using FreeScout faces the risk of malicious or negligent data destruction by departing employees. Former team members retain the ability to permanently erase sensitive internal communications, case notes, and audit trails without detection or prevention. This undermines accountability, complicates dispute resolution, and may violate compliance requirements (e.g., HIPAA, GDPR, SOX) that mandate preservation of business records. The damage is silent: deletion leaves no audit trail that could alert administrators before data is lost.
Affected systems
FreeScout versions prior to 1.8.221 are affected. The vulnerability applies to any installation where users have been provisioned with mailbox access and subsequently offboarded. Non-admin users are the primary threat vector, as they lack direct administrative controls and can exploit the weak authorization check to delete notes. Admin users are unaffected because they typically operate under a separate, more permissive policy path.
Exploitability
Exploitation requires valid user credentials and network access to the FreeScout instance. An attacker must have formerly been assigned to a mailbox and authored at least one internal note. Once offboarded, the attacker can authenticate, navigate to conversations containing their notes, and delete them without triggering any authorization denial or alarm. No special tools or advanced techniques are required; the exploit is straightforward HTTP requests. The attack is low-friction for insiders but not exploitable by external threat actors without prior credentials.
Remediation
Upgrade to FreeScout 1.8.221 or later, which corrects the ThreadPolicy::delete authorization logic to enforce mailbox membership verification at deletion time. Organizations should also conduct an audit of recent thread deletions (if available in logs) to detect any suspicious activity by departed users, and review offboarding procedures to ensure timely credential revocation.
Patch guidance
Apply the 1.8.221 update through your standard FreeScout deployment channel (self-hosted updates or vendor distribution). Before patching, back up your database to ensure no data loss during the update process. Test the patch in a non-production environment first to confirm it does not interfere with legitimate note deletion workflows. After patching, verify in your audit logs that the deletion authorization checks are functioning as expected by attempting to delete a note with a revoked user account (in a test environment).
Detection guidance
Monitor FreeScout's audit logs for deletion events on internal notes by users who are no longer assigned to the mailbox. Correlate deletion timestamps with offboarding records. If your FreeScout instance logs API or database activity, search for DELETE or UPDATE operations on the threads table filtered by user IDs of former team members. Implement real-time alerting on thread deletions to flag anomalies. If audit logs are not yet available, prioritize upgrading to 1.8.221 to ensure future detection capability.
Why prioritize this
Although the CVSS score is moderate (4.3), the business impact is notable for organizations handling sensitive customer data or regulated information. The threat is primarily insider-focused, which reduces overall risk for most deployments but is highly material for organizations with high employee turnover or access to confidential records. The ease of exploitation by departing employees makes this a solid candidate for near-term patching, particularly for firms in healthcare, legal services, or financial support industries.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: network-based attack vector (AV:N), low complexity (AC:L), requirement for prior login (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L—deletion of data), and no availability impact (A:N). The integrity impact is constrained because the attacker can only delete notes they authored; they cannot modify or create malicious content. The score underweights insider risk relative to the business sensitivity of the data at stake, so organizations handling high-value records should consider this vulnerability more urgent than the CVSS suggests.
Frequently asked questions
Can an external attacker exploit this vulnerability?
No. The flaw requires valid user credentials and prior assignment to the target mailbox. An external attacker would need to obtain compromised credentials from a current or former FreeScout user, making this primarily an insider risk.
Does upgrading to 1.8.221 prevent already-deleted notes from being recovered?
No. The patch prevents future unauthorized deletions but does not restore data already deleted by the vulnerability. To recover lost notes, you would need to restore from a backup taken before the deletion occurred. This underscores the importance of prompt patching and regular backup procedures.
Will departing users be automatically logged out after upgrade?
No. The patch only corrects the authorization check for thread deletion. Departing users should be manually deprovisioned by an administrator—removing their account or mailbox assignments—as part of your standard offboarding process. Ensure your offboarding checklist includes FreeScout access removal.
How can I verify the patch is working correctly?
After upgrading, create a test user, assign them to a mailbox, have them create and attempt to delete an internal note, then remove them from the mailbox. Attempt deletion as the removed user; the system should now deny the deletion with a permission error. If deletion still succeeds, verify the upgrade completed fully and check your FreeScout logs for any errors during the patching process.
This analysis is for informational purposes and does not constitute legal, compliance, or professional security advice. Verify all patch versions and compatibility against the official FreeScout advisory before deployment. Organizations must assess their own risk tolerance and compliance obligations. SEC.co does not warrant the completeness or accuracy of vulnerability databases and recommends consulting primary vendor advisories for definitive guidance. Always test patches in a controlled environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis