CVE-2026-35584
IDOR in FreeScout Thread Endpoint Allows Unauthorized Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.212 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access and manipulate thread read statuses and timestamps, as well as enumerate valid thread IDs. This unauthorized access and modification of data could lead to violations of data protection principles such as confidentiality and integrity.
Such unauthorized access and data manipulation may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and ensure data integrity.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-35584 is an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in FreeScout's GET endpoint /thread/read/{conversation_id}/{thread_id} prior to version 1.8.212.
This endpoint does not require authentication and fails to verify that the provided thread_id belongs to the specified conversation_id.
As a result, an attacker can mark any thread as read by supplying arbitrary conversation and thread IDs, enumerate valid thread IDs by observing HTTP response codes (200 for valid, 404 for invalid), and manipulate the opened_at timestamps of threads across different conversations.
This breaks the intended conversation isolation and can mislead support agents relying on these metrics.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to:
- Mark any thread as read without authorization.
- Enumerate valid thread IDs by analyzing HTTP response codes.
- Manipulate the opened_at timestamps of threads across conversations, breaking conversation boundaries.
These impacts can lead to unauthorized access and modification of thread statuses, potentially misleading support agents and compromising the integrity of conversation data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated HTTP GET requests to the endpoint /thread/read/{conversation_id}/{thread_id} with arbitrary conversation_id and thread_id values.
By observing the HTTP response codes, you can enumerate valid thread IDs: a 200 OK response indicates a valid thread, while a 404 Not Found indicates an invalid thread.
For example, you can use curl commands to test the endpoint without authentication.
- curl -i http://your-freescout-instance/thread/read/1/3
- Check if the response status is 200, which means the thread ID 3 exists and can be accessed without authentication.
If the thread_id does not belong to the conversation_id but still returns 200, it confirms the vulnerability allowing unauthorized access and manipulation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.212 or later, where this vulnerability is fixed.
The fix involves enforcing validation on the endpoint to ensure that the thread_id belongs to the specified conversation_id and aborting the request with a 403 Forbidden status if it does not.
If upgrading immediately is not possible, consider implementing access controls or network restrictions to limit unauthenticated access to the vulnerable endpoint.