Vulnerability Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freescout | Freescout | < 1.8.212 |
Related Weaknesses (CWE)
References
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-873c-rExploitVendor Advisory
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-873c-rExploitVendor Advisory
FAQ
What is CVE-2026-35584?
CVE-2026-35584 is a vulnerability with a CVSS score of 6.5 (MEDIUM). FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and doe...
How severe is CVE-2026-35584?
CVE-2026-35584 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35584?
Check the references section above for vendor advisories and patch information. Affected products include: Freescout Freescout.