CVE-2026-35584

FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.

INFO

Published Date :

2026-04-07T16:07:33.883Z

Last Modified :

2026-04-07T16:07:33.883Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35584 vulnerability.

Vendors	Products
Freescout Helpdesk	Freescout

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35584.

URL	Resource
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-873c-r7v5-g98v

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability