CVE-2026-32752
Published: 19 March 2026
Summary
CVE-2026-32752 is a uncategorised-severity Improper Access Control (CWE-284) vulnerability in Freescout Freescout. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for accessing and editing thread messages, directly preventing the broken access control in ThreadPolicy::edit() that bypasses mailbox permissions.
Applies least privilege to restrict authenticated users to only their assigned mailboxes, mitigating unauthorized cross-mailbox read and modification of customer threads.
Requires identification, reporting, and correction of flaws like the access control vulnerability fixed in FreeScout v1.8.209, preventing exploitation through timely patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in public-facing web app enables network exploitation (T1190) to read customer thread data from the helpdesk repository (T1213) and perform undetected stored data tampering (T1565.001).
NVD Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to…
more
read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.
Deeper analysisAI
CVE-2026-32752 is a broken access control vulnerability in the ThreadPolicy::edit() method of FreeScout, a free help desk and shared inbox application built with PHP's Laravel framework. It affects versions 1.8.208 and below, allowing unauthorized access to thread messages. The issue is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) and was published on 2026-03-19.
Any authenticated user in FreeScout, regardless of their role or assigned mailbox permissions, can exploit this vulnerability to read and silently modify all customer-created thread messages across all mailboxes. This bypasses the application's entire mailbox permission model, enables evidence tampering by altering customer communications without detection, and represents a significant compliance risk, including potential GDPR violations.
The vulnerability has been addressed in FreeScout version 1.8.209. Official mitigation guidance is available in the project's security advisory (GHSA-wxg5-g9vv-v8g9), the release notes for v1.8.209, and the fixing commit (996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11) on GitHub, recommending immediate upgrade to the patched version.
Details
- CWE(s)