Broken Object Level Authorization in Laravel [CVE-2026-32752]

In FreeScout, which is built on Laravel, CVE-2026-32752 describes a broken object-level authorization where the ThreadPolicy::edit() method allowed any authenticated user to read and modify all customer-created thread messages across all mailboxes. This is a classic CWE-284 scenario: access control is configured but not properly scoped to the specific resource or its owner, enabling cross-mailbox access and potential GDPR/compliance violations due to unauthorized data exposure or tampering. The impact is that attackers could silently alter or read conversations that do not belong to them, undermining data integrity and confidentiality in multi-tenant inboxes. The exploitation path is straightforward: the policy returns permissive access without validating thread ownership or mailbox membership, so subsequent operations update or fetch messages regardless of the authenticated user’s actual permissions. In Laravel terms, the authorization check validates that a user is logged in but does not verify that the user has access to the mailbox that owns the thread. As a result, reads and edits bypass the mailbox permission model and enable cross-tenant data access, a serious security and compliance risk. The issue is specific to versions 1.8.208 and below of FreeScout and was fixed in 1.8.209. Remediation in Laravel involves replacing permissive policy logic with strict resource ownership checks and consistent use of policies/gates for all mutating operations. Ensure each Thread operation is scoped to threads belonging to mailboxes the user can access, and enforce policy checks in controllers before any read or write to the thread or its messages. Implement unit tests that verify unauthorized users cannot access or modify threads across mailboxes, and audit all thread-related endpoints for proper authorization checks.