CVE-2026-32752

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.

CVSS

No CVSS.

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11	Patch
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209	Product Release Notes
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9	Mitigation Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

History

23 Mar 2026, 19:30

Type	Values Removed	Values Added
First Time		Freescout Freescout freescout
CPE		cpe:2.3:a:freescout:freescout::::::::
References	~~() https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11 -~~	() https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11 - Patch
References	~~() https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209 -~~	() https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209 - Product, Release Notes
References	~~() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9 -~~	() https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9 - Mitigation, Vendor Advisory, Exploit
Summary		(es) FreeScout es un help desk gratuito y una bandeja de entrada compartida construido con el framework Laravel de PHP. En las versiones 1.8.208 e inferiores, el método ThreadPolicy::edit() contiene una vulnerabilidad de control de acceso roto que permite a cualquier usuario autenticado (independientemente de su rol o acceso al buzón) leer y modificar todos los mensajes de hilo creados por clientes en todos los buzones. Esta falla permite la modificación silenciosa de los mensajes de los clientes (alteración de pruebas), omite todo el modelo de permisos del buzón y constituye una violación de GDPR/cumplimiento. El problema ha sido solucionado en la versión 1.8.209.

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 19:30

NVD link : CVE-2026-32752

Mitre link : CVE-2026-32752

CVE.ORG link : CVE-2026-32752

JSON object : View

Products Affected

freescout

freescout

CWE

CWE-284

Improper Access Control

JSON object

Attach tags to CVE-2026-32752

Attach tags to `CVE-2026-32752`