Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification and enumeration of thread data
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unauthenticated IDOR in the GET /thread/read/{conversation_id}/{thread_id} endpoint of FreeScout. The endpoint does not require a logged‑in user and does not verify that the supplied thread_id belongs to the given conversation_id. Consequently, an attacker can change the read status of arbitrary threads, infer the existence of threads by checking HTTP 200 versus 404 responses, and adjust opened_at timestamps across conversations. These actions expose sensitive conversation data and allow manipulation of the help‑desk timeline without authorization.

Affected Systems

FreeScout help‑desk software, version 1.8.212 and earlier. The vendor is freescout-help-desk. The vulnerability applies to all installations that have not been updated to the patched version.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, implying that no widespread exploitation has been reported. However, because the endpoint is publicly accessible and does not enforce authentication, an attacker can invoke it from anywhere on the internet or from within a compromised network. The primary attack vector is HTTP request to the vulnerable URL, and the impact is limited to the affected site’s data and user experience.

Generated by OpenCVE AI on April 7, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.212 or later.
  • If an update is not immediately possible, restrict access to the GET /thread/read endpoint so that only authenticated users can call it (e.g., via firewall rules, .htaccess, or application code changes).
  • Implement server‑side validation that ensures the thread_id belongs to the specified conversation_id to eliminate the IDOR permanently.
  • Monitor application logs for abnormal read‑status changes or enumeration attempts and alert administrators to suspicious activity.

Generated by OpenCVE AI on April 7, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
Title FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration
Weaknesses CWE-306
CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T14:29:09.627Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35584

cve-icon Vulnrichment

Updated: 2026-04-09T14:29:00.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:33.820

Modified: 2026-04-16T18:57:29.323

Link: CVE-2026-35584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:03Z

Weaknesses