Four Medium-to-High Severity Flaws Disclosed in FreeScout Help Desk Platform

Four security vulnerabilities in FreeScout, the open-source help desk and shared inbox built on PHP's Laravel framework, were disclosed together on May 29, 2026. The batch spans three distinct bug classes — account enumeration, email-based privilege escalation, and authorization bypass — and affects versions prior to 1.8.221. The most severe of the four, CVE-2026-47123, carries a CVSS score of 7.5 (High) and involves an email injection vector that could let an external attacker impersonate any agent.

The password reset endpoint in FreeScout versions prior to 1.8.219 returns visually distinct responses depending on whether the submitted email address belongs to an existing user account. This allows an unauthenticated attacker to enumerate valid helpdesk agent email addresses. While the CVSS score is Medium (5.3), the finding is significant because it can feed into targeted phishing or credential-stuffing attacks against known agents. The fix was shipped in version 1.8.219.

The most impactful vulnerability in the batch, CVE-2026-47123, resides in FreeScout's email processing pipeline — specifically the FetchEmails command. The pipeline has two code paths for identifying agent replies based on In-Reply-To and References headers. The notification reply path uses a predictable pattern (notify-{thread_id}-{user_id}) that an external attacker can forge. By sending a crafted email with a spoofed In-Reply-To header, an unauthenticated attacker can cause FreeScout to attribute the email to any valid agent, effectively allowing the attacker to post replies as that agent. This bypasses authentication entirely. The vulnerability affects versions prior to 1.8.220.

CVE-2026-48811 targets the ThreadPolicy::delete method in FreeScout versions prior to 1.8.221. A non-admin user with the PERM_EDIT_CONVERSATIONS permission can permanently delete an internal note (private thread) from any conversation — even after that user's access to the mailbox containing the conversation has been revoked. The policy check fails to verify that the user still has active membership in the mailbox at the time of the delete action. This means a former agent whose mailbox access was removed could still destroy internal notes they had previously been able to see.

While investigating the ThreadPolicy::delete issue, the same missing mailbox membership check was discovered in the sibling ThreadPolicy::edit method, leading to CVE-2026-48810. A user with PERM_EDIT_CONVERSATIONS permission can edit internal notes in conversations belonging to mailboxes they no longer have access to. Like its counterpart, this affects versions prior to 1.8.221. Both CVEs share the same root cause — stale authorization cached at the permission level without re-validating mailbox membership at the time of the action.

FreeScout has addressed all four vulnerabilities across three sequential releases. CVE-2026-45294 was patched in version 1.8.219. CVE-2026-47123 was patched in version 1.8.220. The two authorization bypass flaws (CVE-2026-48811 and CVE-2026-48810) were patched together in version 1.8.221. Administrators running any version prior to 1.8.221 should upgrade to the latest release immediately. No in-the-wild exploitation has been reported for any of the four CVEs as of the disclosure date.

This disclosure event highlights a recurring theme in open-source help desk software: the tension between flexible permission systems and the need to re-validate access at every sensitive action. The two authorization bypass CVEs are textbook examples of stale authorization checks, while the email injection flaw demonstrates how deeply integrated email parsing can introduce authentication bypass vectors that are hard to spot. FreeScout administrators should treat this batch as a reminder to audit mailbox access revocation processes and to ensure email-based reply handling is properly scoped.