CVE-2026-35584
Received Received - Intake
IDOR in FreeScout Thread Endpoint Allows Unauthorized Data Manipulation

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35584
EUVD
EUVD-2026-19734
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.212 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access and manipulate thread read statuses and timestamps, as well as enumerate valid thread IDs. This unauthorized access and modification of data could lead to violations of data protection principles such as confidentiality and integrity.

Such unauthorized access and data manipulation may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and ensure data integrity.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Executive Summary

CVE-2026-35584 is an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in FreeScout's GET endpoint /thread/read/{conversation_id}/{thread_id} prior to version 1.8.212.

This endpoint does not require authentication and fails to verify that the provided thread_id belongs to the specified conversation_id.

As a result, an attacker can mark any thread as read by supplying arbitrary conversation and thread IDs, enumerate valid thread IDs by observing HTTP response codes (200 for valid, 404 for invalid), and manipulate the opened_at timestamps of threads across different conversations.

This breaks the intended conversation isolation and can mislead support agents relying on these metrics.

Impact Analysis

This vulnerability allows an unauthenticated attacker to:

  • Mark any thread as read without authorization.
  • Enumerate valid thread IDs by analyzing HTTP response codes.
  • Manipulate the opened_at timestamps of threads across conversations, breaking conversation boundaries.

These impacts can lead to unauthorized access and modification of thread statuses, potentially misleading support agents and compromising the integrity of conversation data.

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP GET requests to the endpoint /thread/read/{conversation_id}/{thread_id} with arbitrary conversation_id and thread_id values.

By observing the HTTP response codes, you can enumerate valid thread IDs: a 200 OK response indicates a valid thread, while a 404 Not Found indicates an invalid thread.

For example, you can use curl commands to test the endpoint without authentication.

  • curl -i http://your-freescout-instance/thread/read/1/3
  • Check if the response status is 200, which means the thread ID 3 exists and can be accessed without authentication.

If the thread_id does not belong to the conversation_id but still returns 200, it confirms the vulnerability allowing unauthorized access and manipulation.

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.212 or later, where this vulnerability is fixed.

The fix involves enforcing validation on the endpoint to ensure that the thread_id belongs to the specified conversation_id and aborting the request with a 403 Forbidden status if it does not.

If upgrading immediately is not possible, consider implementing access controls or network restrictions to limit unauthenticated access to the vulnerable endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart