Loading
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
Cite this page
CVE-2026-35584. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-35584
Use CWE-306, Freescout vendor hub and Freescout product page to widen CVE-2026-35584 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-28289, CVE-2026-32754 and CVE-2026-40498 for nearby disclosures in the same product family.