Volerion logoVolerion
Volerion logoVolerion

FreeScout Cross-User Undo Reply Vulnerability in Shared Mailboxes

Vulnerability

A vulnerability in FreeScout's undo-send feature allows agents in a shared mailbox to recall replies sent by their peers. The issue exists in versions prior to 1.8.214. The undo-send route only checks if a user can view a conversation, without verifying if they authored the reply. This flaw enables one agent to undo another's response within a 15-second window.

Impact

This vulnerability allows any agent in a shared mailbox to cancel another agent's recently sent reply, potentially disrupting communication and workflow.

Reproduction

To reproduce this vulnerability, log in as two different agents who share the same mailbox. Have one agent send a reply in a shared conversation, then have the second agent use the undo-reply feature to recall that reply within the 15-second window.

Remediation

Users can update to FreeScout version 1.8.214 or later, where this vulnerability has been fixed.

Added: Apr 21, 2026, 5:55 PM
Updated: Apr 21, 2026, 5:55 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
0.6
exploitability
6.4
remediation
7.7
relevance
6.4
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.