Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by passing arbitrary IDs, enumerate valid thread IDs via HTTP response codes (200 vs 404), and manipulate opened_at timestamps across conversations (IDOR). This vulnerability is fixed in 1.8.212.
AnalysisAI
Unauthenticated attackers can read arbitrary threads, enumerate thread IDs, and manipulate thread timestamps in FreeScout versions before 1.8.212 via an unvalidated IDOR vulnerability in the GET /thread/read/{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.
Technical ContextAI
FreeScout is a Laravel-based help desk application. The vulnerable endpoint implements an unauthenticated thread-read action that performs insufficient access control validation. The root cause is CWE-306 (Missing Authentication for Critical Function), combined with insecure direct object reference (IDOR) due to lack of authorization checks. The endpoint accepts conversation_id and thread_id parameters but does not verify ownership or relationship between them, nor authenticate the requesting user. The response behavior (HTTP 200 vs 404) further enables thread ID enumeration attacks. The opened_at timestamp manipulation indicates the endpoint performs write operations (state changes) without proper access restrictions.
RemediationAI
Upgrade FreeScout to version 1.8.212 or later, which includes the fix for this authentication bypass vulnerability. Organizations unable to upgrade immediately should implement network-level access controls restricting the /thread/read/ endpoint to authenticated users via a reverse proxy or WAF, and monitor access logs for enumeration patterns (multiple 404 responses to thread endpoints). See vendor advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-873c-r7v5-g98v for additional details and confirmation of patch availability.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19734