CVE-2026-35584
FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
19th
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
| CWE | CWE-306 CWE-639 |
| Vendor | freescout-help-desk |
| Product | freescout |
| Published | Apr 7, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for freescout-help-desk freescout
Be the first to know when new unknown vulnerabilities affecting freescout-help-desk freescout are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
freescout-help-desk / freescout
< 1.8.212