Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
Published: 2026-02-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover
Action: Immediate Patch
AI Analysis

Impact

FreeScout’s authentication middleware, TokenAuth, creates a static token by hashing the user ID, the account’s creation timestamp, and the application’s secret key (APP_KEY) using MD5. The token never expires or rotates, so the same value remains valid for all sessions. When an attacker obtains the APP_KEY—often exposed through Laravel configuration mis‑management—they can compute a valid token for any user, including administrators, without needing a password. This flaw enables a complete account takeover and can be combined with the related CVE-2026-27636 vulnerability.

Affected Systems

All installations of the freescout-help-desk:freescout product that run a version earlier than 1.8.206 are affected. Versions 1.8.206 and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 9.8 places the vulnerability in the critical range, but the EPSS of less than 1% indicates a very low probability of active exploitation at present. The attack requires discovery of the APP_KEY, after which an attacker can forge a valid token and log in as any user by simply supplying that token. Because the tokens are long‑lived, the risk persists across all sessions until the application is updated or the key is securely rotated. The vulnerability is listed in no KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeScout 1.8.206 or later, where the predictable token issue is corrected.
  • Protect the APP_KEY by storing it in secure configuration files, setting strict file permissions, and avoiding exposure in source control or logs.
  • If the APP_KEY has already been compromised, rotate it immediately and restart the application; this will invalidate previously generated tokens and reduce the attack window.

Generated by OpenCVE AI on April 17, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
Title FreeScout's Predictable Authentication Token Enables Account Takeover
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T15:21:52.817Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27637

cve-icon Vulnrichment

Updated: 2026-02-25T15:21:36.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:04.110

Modified: 2026-02-26T16:08:44.857

Link: CVE-2026-27637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses