VYPR
Unrated severityNVD Advisory· Published Mar 19, 2026· Updated Mar 20, 2026

FreeScout: Broken Access Control in ThreadPolicy — Any User Can Read/Edit All Customer Messages

CVE-2026-32752

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Freescout/Freescoutllm-fuzzy2 versions
    <=1.8.208+ 1 more
    • (no CPE)range: <=1.8.208
    • (no CPE)range: < 1.8.209

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.