CVE-2026-32752
Published: 19 March 2026
Summary
CVE-2026-32752 is a uncategorised-severity Improper Access Control (CWE-284) vulnerability in Freescout Freescout. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-32752 is a broken access control vulnerability in the ThreadPolicy::edit() method of FreeScout, a free help desk and shared inbox application built with PHP's Laravel framework. It affects versions 1.8.208 and below, allowing unauthorized access to thread messages. The issue is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) and was published on 2026-03-19.
Any authenticated user in FreeScout, regardless of their role or assigned mailbox permissions, can exploit this vulnerability to read and silently modify all customer-created thread messages across all mailboxes. This bypasses the application's entire mailbox permission model, enables evidence tampering by altering customer communications without detection, and represents a significant compliance risk, including potential GDPR violations.
The vulnerability has been addressed in FreeScout version 1.8.209. Official mitigation guidance is available in the project's security advisory (GHSA-wxg5-g9vv-v8g9), the release notes for v1.8.209, and the fixing commit (996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11) on GitHub, recommending immediate upgrade to the patched version.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13219
Vulnerability details
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to…
more
read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in public-facing web app enables network exploitation (T1190) to read customer thread data from the helpdesk repository (T1213) and perform undetected stored data tampering (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for accessing and editing thread messages, directly preventing the broken access control in ThreadPolicy::edit() that bypasses mailbox permissions.
Applies least privilege to restrict authenticated users to only their assigned mailboxes, mitigating unauthorized cross-mailbox read and modification of customer threads.
Requires identification, reporting, and correction of flaws like the access control vulnerability fixed in FreeScout v1.8.209, preventing exploitation through timely patching.