FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversationid}/{threadid} does not require authentication and does not validate whether the given threadid belongs to the given conversationid. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-306",
"CWE-639"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35584.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.8.212"
}
],
"cpe": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}