CVE-2026-48811: CWE-862: Missing Authorization in freescout-help-desk freescout
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.
AI Analysis
Technical Summary
CVE-2026-48811 is a missing authorization vulnerability (CWE-862) in FreeScout, a PHP Laravel-based help desk application. Before version 1.8.221, the ThreadPolicy::delete authorization check fails to verify if a user is still a member of the mailbox when attempting to delete internal notes (private threads). Consequently, a non-admin user who previously had access but whose mailbox membership has been revoked can still delete notes they created, leading to unauthorized destructive actions. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity, and no known exploits are reported in the wild. The vulnerability is addressed in FreeScout version 1.8.221.
Potential Impact
The vulnerability allows a non-admin user to delete internal notes from conversations even after their access to the mailbox is revoked. This results in unauthorized modification of data (integrity impact) but does not affect confidentiality or availability. The impact is limited to the ability to remove private notes, which may disrupt internal communication or record-keeping within the help desk system.
Mitigation Recommendations
This vulnerability is fixed in FreeScout version 1.8.221. Users should upgrade to version 1.8.221 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade availability from the vendor's official sources. No additional mitigation is indicated.
CVE-2026-48811: CWE-862: Missing Authorization in freescout-help-desk freescout
Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48811 is a missing authorization vulnerability (CWE-862) in FreeScout, a PHP Laravel-based help desk application. Before version 1.8.221, the ThreadPolicy::delete authorization check fails to verify if a user is still a member of the mailbox when attempting to delete internal notes (private threads). Consequently, a non-admin user who previously had access but whose mailbox membership has been revoked can still delete notes they created, leading to unauthorized destructive actions. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity, and no known exploits are reported in the wild. The vulnerability is addressed in FreeScout version 1.8.221.
Potential Impact
The vulnerability allows a non-admin user to delete internal notes from conversations even after their access to the mailbox is revoked. This results in unauthorized modification of data (integrity impact) but does not affect confidentiality or availability. The impact is limited to the ability to remove private notes, which may disrupt internal communication or record-keeping within the help desk system.
Mitigation Recommendations
This vulnerability is fixed in FreeScout version 1.8.221. Users should upgrade to version 1.8.221 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade availability from the vendor's official sources. No additional mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T20:57:10.976Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a19feb2e29bf47b500fc285
Added to database: 5/29/2026, 9:01:38 PM
Last enriched: 5/29/2026, 9:03:37 PM
Last updated: 5/31/2026, 4:54:44 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.