Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-35584

CVE-2026-35584: IDOR in Laravel FreeScout Help Desk

Q: Am I affected by CVE-2026-35584 in Laravel FreeScout?

You are affected if you are using Laravel FreeScout versions 1.8.0 through 1.8.211. Upgrade to version 1.8.212 to resolve the vulnerability.

Q: How do I fix CVE-2026-35584 in Laravel FreeScout?

The recommended fix is to upgrade to FreeScout version 1.8.212 or later. As a temporary workaround, implement strict access controls and WAF rules to restrict access to the /thread/read endpoint.

Q: Where can I find the official Laravel FreeScout advisory for CVE-2026-35584?

Refer to the official Laravel FreeScout documentation and security advisories for the most up-to-date information regarding CVE-2026-35584 and its remediation.

Plataforma

php

Componente

laravel

Corregido en

1.8.212

Ver en NVD

Guardar

Traduciendo a tu idioma…

CVE-2026-35584 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Laravel FreeScout help desk systems. This flaw allows unauthenticated attackers to manipulate thread read statuses and timestamps across different conversations. The vulnerability impacts versions 1.8.0 through 1.8.211, and a fix is available in version 1.8.212.

Impacto y Escenarios de Ataquetraduciendo…

An attacker exploiting this IDOR vulnerability can gain unauthorized access to and modify sensitive information within the FreeScout help desk. By crafting malicious requests to the /thread/read/{conversationid}/{threadid} endpoint, they can mark arbitrary threads as read, effectively concealing them from authorized users. Furthermore, they can manipulate the opened_at timestamps associated with conversations, potentially disrupting workflows and creating confusion. This could lead to miscommunication, delayed responses to critical issues, and a compromised view of the overall support ticket status. The ability to enumerate valid thread IDs through HTTP response codes (200 vs 404) further simplifies the exploitation process.

Contexto de Explotacióntraduciendo…

CVE-2026-35584 was published on 2026-04-07. Currently, there are no publicly known active campaigns exploiting this vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability is not listed on KEV, and its EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Inteligencia de Amenazas

Estado del Exploit

Prueba de ConceptoDesconocido

CISA KEVNO

EPSS

0.07% (22% percentil)

CISA SSVC

Explotaciónpoc

Automatizableyes

Impacto Técnicopartial

Software Afectado

Componentelaravel

Proveedorfreescout-help-desk

Versión mínima1.8.0

Versión máxima< 1.8.212

Corregido en1.8.212

Clasificación de Debilidad (CWE)

CWE-306 CWE-639

Cronología

Reservado2026-04-03
Publicada2026-04-07
Modificada2026-04-09
EPSS actualizado2026-04-15

Mitigación y Workaroundstraduciendo…

The primary mitigation for CVE-2026-35584 is to immediately upgrade to FreeScout version 1.8.212 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Implement strict access controls on the /thread/read endpoint, requiring authentication and validating that the provided threadid belongs to the specified conversationid. Web application firewalls (WAFs) can be configured to block requests that attempt to access threads without proper authentication or with mismatched IDs. Regularly review FreeScout configurations to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to access a thread with an invalid thread_id – a 404 error should be returned.

Cómo corregirlotraduciendo…

Actualice FreeScout a la versión 1.8.212 o superior para mitigar la vulnerabilidad. Esta actualización implementa la validación necesaria para asegurar que un usuario solo pueda acceder a los hilos de conversación a los que pertenece, previniendo la manipulación y enumeración no autorizada.

Preguntas frecuentestraduciendo…

What is CVE-2026-35584 — IDOR in Laravel FreeScout?

CVE-2026-35584 is an Insecure Direct Object Reference (IDOR) vulnerability in Laravel FreeScout help desk systems, allowing unauthorized manipulation of thread statuses and timestamps. It affects versions 1.8.0 through 1.8.211.

Am I affected by CVE-2026-35584 in Laravel FreeScout?

You are affected if you are using Laravel FreeScout versions 1.8.0 through 1.8.211. Upgrade to version 1.8.212 to resolve the vulnerability.

How do I fix CVE-2026-35584 in Laravel FreeScout?

The recommended fix is to upgrade to FreeScout version 1.8.212 or later. As a temporary workaround, implement strict access controls and WAF rules to restrict access to the /thread/read endpoint.

Is CVE-2026-35584 being actively exploited?

Currently, there are no publicly known active campaigns exploiting CVE-2026-35584, and no public proof-of-concept code is available.

Where can I find the official Laravel FreeScout advisory for CVE-2026-35584?

Refer to the official Laravel FreeScout documentation and security advisories for the most up-to-date information regarding CVE-2026-35584 and its remediation.

¿Tu proyecto está afectado?

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratis Buscar CVEs

liveescaneo gratuito

Pruébalo ahora — sin cuenta

Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.

Escaneo manualAlertas en Slack/emailMonitoreo continuoReportes white-label

Arrastra y suelta tu archivo de dependencias

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Explorar archivos