CVE-2026-48810 - FreeScout Thread Edit Authorization Bypass via Missing Mailbox Check

CVE-2026-48810 - FreeScout: Thread Edit Authorization Bypass via Missing Mailbox Check

Published Date: May 29, 2026

FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. Prior to version 1.8.221, a vulnerability was discovered in the ThreadPolicy::edit method. This issue allows a user with the PERM_EDIT_CONVERSATIONS permission, who created a message or internal note in Mailbox A, to rewrite that thread’s body even after being removed from Mailbox A by an administrator. This occurs because the policy checks only for authorship and a global permission flag, neglecting current mailbox membership.

This vulnerability has been addressed in version 1.8.221. 🚀

CVE Details

• CVE ID: CVE-2026-48810
• CVSS V3.1 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
• CWE Category: CWE-285

For further details, you can refer to the official security advisory here.

To read the complete article see: Read full article