CVE-2026-48810
Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag — not current mailbox membership. This vulnerability is fixed in 1.8.221.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FreeScout prior to 1.8.221 allows users removed from a mailbox to edit their old threads due to missing mailbox membership check in ThreadPolicy::edit.
Vulnerability
FreeScout prior to version 1.8.221 contains an authorization bypass vulnerability in the ThreadPolicy::edit method. The policy's TYPE_MESSAGE and TYPE_NOTE branch checks only authorship and the global PERM_EDIT_CONVERSATIONS permission, but does not verify that the user still has access to the mailbox containing the conversation. This mirrors a previously reported issue in ThreadPolicy::delete. Affected versions are all releases before 1.8.221 [1].
Exploitation
An attacker must have a valid account with the PERM_EDIT_CONVERSATIONS permission and must have authored at least one message or internal note in a mailbox (Mailbox A) to which they had access. After an administrator removes the attacker from Mailbox A, the attacker can call the edit endpoint on those previously authored threads. Because the policy only checks that the user created the thread and holds the global permission, it grants access despite the user no longer being a member of Mailbox A [1].
Impact
A privileged user who has been removed from a mailbox can continue to rewrite the body of threads they created in that mailbox. This allows modification of conversation content after the user should no longer have any access, potentially tampering with help desk records. The confidentiality and integrity of mailbox conversations is affected [1].
Mitigation
The vulnerability is fixed in FreeScout 1.8.221, released on 2026-05-29. Upgrading to this version or later resolves the issue. No workarounds are documented; organizations unable to upgrade immediately should review and restrict the PERM_EDIT_CONVERSATIONS permission [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1ae68e194b14fImprove permissions check when editing messages - GHSA-3w38-h42v-3h6w
1 file changed · +9 −2
app/Policies/ThreadPolicy.php+9 −2 modified@@ -23,8 +23,13 @@ public function edit(User $user, Thread $thread) if (( $thread->created_by_user_id && in_array($thread->type, [Thread::TYPE_MESSAGE, Thread::TYPE_NOTE]) - && ($user->isAdmin() || ($user->hasPermission(User::PERM_EDIT_CONVERSATIONS) && $thread->created_by_user_id == $user->id)) - ) || ( + && ($user->isAdmin() || ( + $user->hasPermission(User::PERM_EDIT_CONVERSATIONS) + && $thread->created_by_user_id == $user->id + && $thread->conversation + && $thread->conversation->userHasAccessToMailbox($user->id) + ) + )) || ( $thread->created_by_customer_id && in_array($thread->type, [Thread::TYPE_CUSTOMER]) && $thread->conversation @@ -51,6 +56,8 @@ public function delete(User $user, Thread $thread) } } + // If user can see only assigned conversations, + // check if he/she has access to the conversation. public function checkIsOnlyAssigned($conversation, $user) { // Maybe user can see only assigned conversations.
Vulnerability mechanics
Root cause
"Missing mailbox membership check in ThreadPolicy::edit allows a removed agent to edit their own prior threads."
Attack vector
An authenticated agent with `PERM_EDIT_CONVERSATIONS` who created a message or note in Mailbox A can later edit that thread's body after an administrator removes them from Mailbox A. The policy only checks authorship and a global permission flag, not current mailbox membership [ref_id=1]. The attacker sends a POST request to `/conversation/ajax` with `action=save_edit_thread` and a tampered body, and the server updates the thread without verifying the agent's current access [ref_id=1]. This is a missing authorization check [CWE-862].
Affected code
The vulnerability resides in `app/Policies/ThreadPolicy.php`, specifically in the `edit()` method. The `TYPE_MESSAGE`/`TYPE_NOTE` branch lacked a `userHasAccessToMailbox()` check that was already present in the `TYPE_CUSTOMER` branch. The `save_edit_thread` action in `ConversationsController.php` relies solely on this policy gate before writing to the database.
What the fix does
The patch adds `$thread->conversation && $thread->conversation->userHasAccessToMailbox($user->id)` to the `TYPE_MESSAGE`/`TYPE_NOTE` branch of `ThreadPolicy::edit()` [patch_id=3107104]. This ensures that even if the user is the author and holds the global `PERM_EDIT_CONVERSATIONS` permission, they must still have current access to the mailbox containing the conversation. The fix mirrors the check already present in the `TYPE_CUSTOMER` branch and in `ConversationPolicy::update`.
Preconditions
- authAttacker must have an active session as an agent with PERM_EDIT_CONVERSATIONS
- inputAttacker must have previously created a message or note in a mailbox they are later removed from
- configAdministrator must remove the agent from the mailbox while the agent's session remains valid
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.