CVE-2026-32752

Published: Mar 19, 2026

Modified: Mar 20, 2026

PUBLISHED

CVSS v3.1

0.0

NONE

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.

Vendor	Product	Versions
freescout-help-desk	freescout	affected `< 1.8.209`

Weaknesses (CWE)

CWE-284

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

None

References

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9

x_refsource_CONFIRM

https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11

x_refsource_MISC

https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32752

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References