Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.
Published: 2026-03-19
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized read and modification of all customer messages across all mailboxes, enabling evidence tampering and GDPR violations
Action: Patch Immediately
AI Analysis

Impact

An authentication‑based access‑control flaw in FreeScout’s ThreadPolicy::edit() allows any logged‑in user to view and edit every thread message, regardless of mailbox or role permissions. The vulnerability permits attackers to alter or remove customer communications, compromising data integrity and potentially creating compliance failures.

Affected Systems

FreeScout help desk versions 1.8.208 and earlier, built on PHP’s Laravel framework, are impacted. Updating to version 1.8.209 or later removes the flaw.

Risk and Exploitability

The flaw is exploit‑able by any authenticated user; it does not require remote code execution or system privilege escalation. EPSS indicates an exploit probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog, yet the risk to privacy and regulatory compliance is elevated due to the sensitive nature of the compromised data.

Generated by OpenCVE AI on March 23, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.209 or later

Generated by OpenCVE AI on March 23, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 19 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.
Title FreeScout: Broken Access Control in ThreadPolicy — Any User Can Read/Edit All Customer Messages
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:10:32.968Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32752

cve-icon Vulnrichment

Updated: 2026-03-20T17:02:45.467Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:41.650

Modified: 2026-03-23T19:30:28.227

Link: CVE-2026-32752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:44Z

Weaknesses