CVE-2026-48811 freescout-help-desk CVE debrief

Who should care

FreeScout administrators managing multi-user help desk deployments with rotating or terminated staff members; organizations with compliance requirements for audit trail preservation of internal communications

Technical summary

FreeScout versions before 1.8.221 fail to verify current mailbox membership in the ThreadPolicy::delete authorization policy. A user who previously had access to a mailbox and created internal notes retains the ability to delete those notes even after their mailbox access is revoked. The vulnerability is remotely exploitable by authenticated users with prior mailbox access. No confidentiality impact; integrity impact is low (deletion only). Fixed in version 1.8.221.

Defensive priority

medium

Recommended defensive actions

• Upgrade FreeScout to version 1.8.221 or later to obtain the fixed ThreadPolicy::delete authorization check
• Review mailbox access logs for unauthorized deletion activity by former team members between their access revocation and the upgrade date
• Audit conversation histories for missing internal notes that may indicate exploitation
• Implement mailbox membership verification as a defense-in-depth control for all thread modification operations
• Review and test authorization policies for other thread operations to identify similar gaps

Evidence notes

Vulnerability confirmed by GitHub Security Advisory GHSA-9vx8-gx3p-9mh6. CVSS 3.1 score 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Fix version 1.8.221 explicitly addresses the authorization gap in ThreadPolicy::delete.

Official resources