Volerion logoVolerion
Volerion logoVolerion

FreeScout Thread Deletion Vulnerability Bypasses Mailbox Access Revocation

Vulnerability

A vulnerability in FreeScout prior to version 1.8.221 allows non-admin users to permanently delete internal notes from conversations, even after their access to the relevant mailbox has been revoked. The issue arises because the deletion authorization policy does not check mailbox membership, enabling former team members to delete notes they created. This flaw can lead to unauthorized tampering with conversation records and permanent data loss.

Impact

The vulnerability allows revoked users to delete internal notes from conversations they can no longer access, leading to unauthorized removal of potentially sensitive information and disruption of audit trails.

Reproduction

To reproduce this vulnerability, an agent account must be removed from a mailbox. After revocation, the agent can still delete notes they created while they had access by sending a request to the '/conversation/ajax' endpoint with the appropriate thread ID and session information.

Remediation

Users are advised to update FreeScout to version 1.8.221 or later.

Added: May 29, 2026, 8:22 PM
Updated: May 29, 2026, 8:22 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
0.6
exploitability
6.4
remediation
7.7
relevance
9.6
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.