Broken Access Control in FreeScout Help Desk Software by FreeScout
CVE-2026-32752

NONE

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32752?

FreeScout, a help desk and shared inbox application built on the PHP Laravel framework, has a broken access control vulnerability in versions 1.8.208 and earlier. This issue allows any authenticated user to access and modify all customer-created thread messages across all mailboxes, irrespective of their assigned role or mailbox permissions. The flaw poses a significant risk as it enables potential evidence tampering and violates GDPR compliance standards. Users are advised to upgrade to version 1.8.209 or later to mitigate this vulnerability.

Affected Version(s)

freescout < 1.8.209

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/9...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
Severity:
NONE
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.