CVE-2026-35584

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.212

Description FreeScout, a help desk and shared inbox built with Laravel, is affected by an issue where the GET /thread/read/{conversation id}/{thread id} API endpoint does not require authentication and lacks validation to ensure the thread id belongs to the specified conversation id. This allows an unauthenticated attacker to mark any thread as read using arbitrary IDs, enumerate valid thread IDs through HTTP response codes (200 vs 404), and manipulate opened at timestamps across conversations. This is an IDOR (Insecure Direct Object Reference) issue.

Recommendations Upgrade to FreeScout version 1.8.212 or later.