What is CVE-2026-35584?

CVE-2026-35584 is a vulnerability in Freescout-help-desk Freescout, classified under Missing Authentication for Critical Function. Published 2026-04-07.

Is CVE-2026-35584 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Freescout-help-desk Freescout

CVE-2026-35584

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread…

Vulnerability class: Broken Authentication

EPSS: 0.000 (10.6th percentile) — read the EPSS interpretation.

Affected products

Freescout-help-desk Freescout — versions < 1.8.212

Weakness classification (CWE)

Public proof-of-concept exploits

References

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-873c-r7v5-g98v (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-35584?: CVE-2026-35584 is a vulnerability in Freescout-help-desk Freescout, classified under Missing Authentication for Critical Function. Published 2026-04-07.
Is CVE-2026-35584 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.