CVE-2026-35584: IDOR in Laravel FreeScout Help Desk

An attacker exploiting this IDOR vulnerability can gain unauthorized access to and modify sensitive information within the FreeScout help desk. By crafting malicious requests to the /thread/read/{conversationid}/{threadid} endpoint, they can mark arbitrary threads as read, effectively concealing them from authorized users. Furthermore, they can manipulate the opened_at timestamps associated with conversations, potentially disrupting workflows and creating confusion. This could lead to miscommunication, delayed responses to critical issues, and a compromised view of the overall support ticket status. The ability to enumerate valid thread IDs through HTTP response codes (200 vs 404) further simplifies the exploitation process.

1. Réservé2026-04-03
2. Publiée2026-04-07
3. Modifiée2026-04-09
4. EPSS mis à jour2026-04-15

The primary mitigation for CVE-2026-35584 is to immediately upgrade to FreeScout version 1.8.212 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Implement strict access controls on the /thread/read endpoint, requiring authentication and validating that the provided threadid belongs to the specified conversationid. Web application firewalls (WAFs) can be configured to block requests that attempt to access threads without proper authentication or with mismatched IDs. Regularly review FreeScout configurations to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to access a thread with an invalid thread_id – a 404 error should be returned.