Authorization Flaw in FreeScout Help Desk Software by FreeScout
CVE-2026-48811

4.3MEDIUM

Key Information:

Vendor: Freescout-help-desk
Status: Freescout
Vendor: CVE Published:; 29 May 2026

🔔 Create Freescout-help-desk Vulnerability Alert

What is CVE-2026-48811?

FreeScout, a free help desk application built on PHP's Laravel framework, has an authorization flaw that enables non-admin users to permanently delete internal notes from any conversation. This weakness occurs even after the user’s access to the corresponding mailbox has been revoked. The insufficient validation in the ThreadPolicy::delete authorization policy fails to check for mailbox membership, allowing former team members to retain destructive capabilities over notes they previously created. This vulnerability was addressed in version 1.8.221.

Affected Version(s)

freescout < 1.8.221

References

https://github.com/freescout-help-desk/freescout/security...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48811 Data

JSON