CVE-2026-32752

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.208 and below

Description FreeScout is a help desk and shared inbox application built with the Laravel PHP framework. A broken access control issue exists in the ThreadPolicy::edit() method. This allows any authenticated user, regardless of their role or mailbox access, to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages and bypasses the entire mailbox permission model, potentially leading to GDPR compliance violations. The ThreadPolicy::edit() function is vulnerable to unauthorized access. The vulnerable parameter is not specified.

Recommendations Upgrade to version 1.8.209 or later to resolve this issue.