CVE-2026-32752
Received Received - Intake
Broken Access Control in FreeScout ThreadPolicy Allows Message Tampering

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32752
EUVD
EUVD-2026-13219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.209 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in FreeScout versions 1.8.208 and below, specifically in the ThreadPolicy::edit() method. It is a broken access control flaw that allows any authenticated user, regardless of their role or mailbox access permissions, to read and modify all customer-created thread messages across all mailboxes.

This means that users can silently alter customer messages without detection, bypassing the intended mailbox permission model.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive customer communications and the ability to tamper with message content silently.

Such unauthorized modifications can lead to evidence tampering, loss of data integrity, and potential breaches of trust between the service provider and customers.

Compliance Impact

This vulnerability constitutes a violation of GDPR and similar compliance regulations because it allows unauthorized users to access and modify customer data, undermining data protection and privacy requirements.

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability in FreeScout versions 1.8.208 and below allows any authenticated user to read and modify all customer-created thread messages across all mailboxes due to broken access control.

To mitigate this vulnerability immediately, upgrade FreeScout to version 1.8.209 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32752. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart