CVE-2026-32752

{"id": "CVE-2026-32752", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-19T22:16:41.650", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/996a7f96337fdd8a1d1bbd0da0ec7ec85d160b11", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wxg5-g9vv-v8g9", "tags": ["Mitigation", "Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role or mailbox access) to read and modify all customer-created thread messages across all mailboxes. This flaw enables silent modification of customer messages (evidence tampering), bypasses the entire mailbox permission model, and constitutes a GDPR/compliance violation. The issue has been fixed in version 1.8.209."}, {"lang": "es", "value": "FreeScout es un help desk gratuito y una bandeja de entrada compartida construido con el framework Laravel de PHP. En las versiones 1.8.208 e inferiores, el m\u00e9todo ThreadPolicy::edit() contiene una vulnerabilidad de control de acceso roto que permite a cualquier usuario autenticado (independientemente de su rol o acceso al buz\u00f3n) leer y modificar todos los mensajes de hilo creados por clientes en todos los buzones. Esta falla permite la modificaci\u00f3n silenciosa de los mensajes de los clientes (alteraci\u00f3n de pruebas), omite todo el modelo de permisos del buz\u00f3n y constituye una violaci\u00f3n de GDPR/cumplimiento. El problema ha sido solucionado en la versi\u00f3n 1.8.209."}], "lastModified": "2026-03-23T19:30:28.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA447A4F-F76D-4D18-85E7-18B185572113", "versionEndExcluding": "1.8.209"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}