PatchSiren cyber security CVE debrief
CVE-2026-48810 freescout-help-desk CVE debrief
FreeScout, a PHP Laravel-based help desk and shared inbox application, contains an authorization bypass vulnerability in versions prior to 1.8.221. The ThreadPolicy::edit method fails to verify current mailbox membership when evaluating edit permissions. A user who previously created content in Mailbox A and was subsequently removed from that mailbox can continue to modify thread bodies if they retain the global PERM_EDIT_CONVERSATIONS permission. The policy validation checks only message authorship and the global permission flag, not whether the user currently belongs to the target mailbox. This represents a missing authorization check (CWE-285) where stale access rights persist after membership revocation. The vulnerability was identified during investigation of a related ThreadPolicy::delete issue, indicating a pattern of insufficient membership validation in the authorization layer. The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N reflects network accessibility, low attack complexity, required low-privileged access, no user interaction, and limited integrity impact without confidentiality or availability effects.
- Vendor
- freescout-help-desk
- Product
- freescout
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating FreeScout help desk instances with dynamic team membership, particularly those with frequent personnel changes or contractor access requiring periodic mailbox removal. Security teams assessing Laravel application authorization patterns. Administrators responsible for access control auditing in shared inbox environments.
Technical summary
The ThreadPolicy::edit authorization gate in FreeScout evaluates two conditions: whether the user authored the thread content and whether the user possesses the global PERM_EDIT_CONVERSATIONS permission. The policy omits verification that the user currently belongs to the mailbox containing the thread. When an administrator removes a user from Mailbox A, the user's prior authorship of content in that mailbox combined with retained global edit permissions creates a stale authorization state. The user can continue issuing edit requests against threads in Mailbox A despite lacking current membership. The fix in 1.8.221 adds the missing membership check to the authorization gate. This vulnerability requires the attacker to have been previously authorized in the target mailbox and to have created content there before removal, limiting exposure to scenarios involving membership revocation.
Defensive priority
medium
Recommended defensive actions
- Upgrade FreeScout to version 1.8.221 or later to obtain the authorization fix
- Review user access logs for unauthorized thread modifications by former mailbox members
- Audit ThreadPolicy and related authorization classes for consistent membership validation patterns
- Implement compensating controls such as mailbox-level access reviews when removing users from mailboxes
- Monitor for related authorization issues in sibling policy methods following the ThreadPolicy::delete and ThreadPolicy::edit findings
Evidence notes
Vulnerability description confirms the ThreadPolicy::edit method lacks mailbox membership verification. GitHub Security Advisory GHSA-3w38-h42v-3h6w cited as primary source. CWE-285 (Improper Authorization) assigned by [email protected]. Fix version 1.8.221 explicitly stated. CVSS 3.1 score 4.3 (Medium) with integrity impact only.
Official resources
-
CVE-2026-48810 CVE record
CVE.org
-
CVE-2026-48810 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29