CVE-2026-35584

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation id}/{thread id} does not require authentication and does not validate whether the given thread id belongs to the given conversation id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.