Authorization Flaw in FreeScout Help Desk Software
CVE-2026-48810

4.3MEDIUM

Key Information:

Vendor: Freescout-help-desk
Status: Freescout
Vendor: CVE Published:; 29 May 2026

🔔 Create Freescout-help-desk Vulnerability Alert

What is CVE-2026-48810?

FreeScout, an open-source help desk application built on the Laravel framework, has a security issue that allows users with specific permissions to manipulate conversation threads. When a user possesses the PERM_EDIT_CONVERSATIONS permission and has created a message in Mailbox A, they can alter that thread's content even after being removed from Mailbox A by an administrator. This occurs because the system's policy checks rely solely on authorship and a global permission flag, neglecting to verify the user's current membership in the mailbox. This oversight has been addressed in version 1.8.221.

Affected Version(s)

freescout < 1.8.221

References

https://github.com/freescout-help-desk/freescout/security...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48810 Data

JSON