CVE-2026-32752
Received Received - Intake
Broken Access Control in FreeScout ThreadPolicy Allows Message Tampering

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32752
EUVD
EUVD-2026-13219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.209 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in FreeScout versions 1.8.208 and below, specifically in the ThreadPolicy::edit() method. It is a broken access control flaw that allows any authenticated user, regardless of their role or mailbox access permissions, to read and modify all customer-created thread messages across all mailboxes.

This means that users can silently alter customer messages without detection, bypassing the intended mailbox permission model.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized access to sensitive customer communications and the ability to tamper with message content silently.

Such unauthorized modifications can lead to evidence tampering, loss of data integrity, and potential breaches of trust between the service provider and customers.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability constitutes a violation of GDPR and similar compliance regulations because it allows unauthorized users to access and modify customer data, undermining data protection and privacy requirements.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability in FreeScout versions 1.8.208 and below allows any authenticated user to read and modify all customer-created thread messages across all mailboxes due to broken access control.

To mitigate this vulnerability immediately, upgrade FreeScout to version 1.8.209 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart