{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32752", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.532Z", "datePublished": "2026-03-19T21:21:54.613Z", "dateUpdated": "2026-03-20T18:10:32.968Z"}, "containers": {"cna": {"title": "FreeScout: Broken Access Control in ThreadPolicy \u2014 Any User Can Read/Edit All Customer Messages", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.209", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:21:54.613Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209."}], "source": {"advisory": "GHSA-wxg5-g9vv-v8g9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:02:41.368736Z", "id": "CVE-2026-32752", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:10:32.968Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32752", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:02:41.368736Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:02:45.467Z"}}], "cna": {"title": "FreeScout: Broken Access Control in ThreadPolicy \u2014 Any User Can Read/Edit All Customer Messages", "source": {"advisory": "GHSA-wxg5-g9vv-v8g9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.209"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11", "name": "https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:21:54.613Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32752", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:10:32.968Z", "dateReserved": "2026-03-13T18:53:03.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T21:21:54.613Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA447A4F-F76D-4D18-85E7-18B185572113", "versionEndExcluding": "1.8.209", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209."}, {"lang": "es", "value": "FreeScout es un help desk gratuito y una bandeja de entrada compartida construido con el framework Laravel de PHP. En las versiones 1.8.208 e inferiores, el m\u00e9todo ThreadPolicy::edit() contiene una vulnerabilidad de control de acceso roto que permite a cualquier usuario autenticado (independientemente de su rol o acceso al buz\u00f3n) leer y modificar todos los mensajes de hilo creados por clientes en todos los buzones. Esta falla permite la modificaci\u00f3n silenciosa de los mensajes de los clientes (alteraci\u00f3n de pruebas), omite todo el modelo de permisos del buz\u00f3n y constituye una violaci\u00f3n de GDPR/cumplimiento. El problema ha sido solucionado en la versi\u00f3n 1.8.209."}], "id": "CVE-2026-32752", "lastModified": "2026-03-23T19:30:28.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-19T22:16:41.650", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory", "Exploit"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.209)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-03-23T20:54:03.023946+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.209 or later"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized read and modification of all customer messages across all mailboxes, enabling evidence tampering and GDPR violations"}, "threat_synthesis": {"affected_systems": "FreeScout help desk versions 1.8.208 and earlier, built on PHP\u2019s Laravel framework, are impacted. Updating to version 1.8.209 or later removes the flaw.", "description_and_impact": "An authentication\u2011based access\u2011control flaw in FreeScout\u2019s ThreadPolicy::edit() allows any logged\u2011in user to view and edit every thread message, regardless of mailbox or role permissions. The vulnerability permits attackers to alter or remove customer communications, compromising data integrity and potentially creating compliance failures.", "risk_and_exploitability": "The flaw is exploit\u2011able by any authenticated user; it does not require remote code execution or system privilege escalation. EPSS indicates an exploit probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog, yet the risk to privacy and regulatory compliance is elevated due to the sensitive nature of the compromised data."}}}}, "created": "2026-03-20T08:55:35.423458+00:00", "updated": "2026-03-25T11:54:44.544859+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}