Scan free
MEDIUMCVE-2026-35584

CVE-2026-35584: IDOR in Laravel FreeScout Help Desk

Platform

php

Component

laravel

Fixed in

1.8.212

View on NVD
Save

CVE-2026-35584 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Laravel FreeScout help desk systems. This flaw allows unauthenticated attackers to manipulate thread read statuses and timestamps across different conversations. The vulnerability impacts versions 1.8.0 through 1.8.211, and a fix is available in version 1.8.212.

Impact and Attack Scenarios

An attacker exploiting this IDOR vulnerability can gain unauthorized access to and modify sensitive information within the FreeScout help desk. By crafting malicious requests to the /thread/read/{conversationid}/{threadid} endpoint, they can mark arbitrary threads as read, effectively concealing them from authorized users. Furthermore, they can manipulate the opened_at timestamps associated with conversations, potentially disrupting workflows and creating confusion. This could lead to miscommunication, delayed responses to critical issues, and a compromised view of the overall support ticket status. The ability to enumerate valid thread IDs through HTTP response codes (200 vs 404) further simplifies the exploitation process.

Exploitation Context

CVE-2026-35584 was published on 2026-04-07. Currently, there are no publicly known active campaigns exploiting this vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability is not listed on KEV, and its EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO

EPSS

0.07% (22% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

Affected Software

Componentlaravel
Vendorfreescout-help-desk
Minimum version1.8.0
Maximum version< 1.8.212
Fixed in1.8.212

Weakness Classification (CWE)

CWE-306CWE-639

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-35584 is to immediately upgrade to FreeScout version 1.8.212 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Implement strict access controls on the /thread/read endpoint, requiring authentication and validating that the provided threadid belongs to the specified conversationid. Web application firewalls (WAFs) can be configured to block requests that attempt to access threads without proper authentication or with mismatched IDs. Regularly review FreeScout configurations to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to access a thread with an invalid thread_id – a 404 error should be returned.

How to fix

Actualice FreeScout a la versión 1.8.212 o superior para mitigar la vulnerabilidad. Esta actualización implementa la validación necesaria para asegurar que un usuario solo pueda acceder a los hilos de conversación a los que pertenece, previniendo la manipulación y enumeración no autorizada.

Frequently asked questions

What is CVE-2026-35584 — IDOR in Laravel FreeScout?

CVE-2026-35584 is an Insecure Direct Object Reference (IDOR) vulnerability in Laravel FreeScout help desk systems, allowing unauthorized manipulation of thread statuses and timestamps. It affects versions 1.8.0 through 1.8.211.

Am I affected by CVE-2026-35584 in Laravel FreeScout?

You are affected if you are using Laravel FreeScout versions 1.8.0 through 1.8.211. Upgrade to version 1.8.212 to resolve the vulnerability.

How do I fix CVE-2026-35584 in Laravel FreeScout?

The recommended fix is to upgrade to FreeScout version 1.8.212 or later. As a temporary workaround, implement strict access controls and WAF rules to restrict access to the /thread/read endpoint.

Is CVE-2026-35584 being actively exploited?

Currently, there are no publicly known active campaigns exploiting CVE-2026-35584, and no public proof-of-concept code is available.

Where can I find the official Laravel FreeScout advisory for CVE-2026-35584?

Refer to the official Laravel FreeScout documentation and security advisories for the most up-to-date information regarding CVE-2026-35584 and its remediation.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...