Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.
Published: 2026-04-21
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass and Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated user can exploit the \/system\/cron endpoint in FreeScout to bypass normal authentication controls, exposing a static MD5 hash derived from the APP_KEY that is returned in responses and logs. This disclosure reveals sensitive server details such as full file paths, process IDs, and other configuration information, and also allows an attacker to repeatedly trigger heavy background jobs without rate limiting, enabling denial‑of‑service or brute‑force attempts. The flaw aligns with CWE‑200 (Information Exposure), CWE‑284 (Improper Authorization) and CWE‑770 (Out‑of‑Bound Resource Allocation).

Affected Systems

FreeScout self‑hosted help‑desk deployments of any version earlier than 1.8.213 are affected, including the freescout‑help‑desk:freescout product. The vulnerability subsides starting with the 1.8.213 release, which removes the insecure hash calculation and adds proper request throttling.

Risk and Exploitability

With a CVSS score of 8.9 the issue is classified as high severity; EPSS data is not available, but the absence of authentication and rate limiting provides a clear remote attack path for any host able to reach the affected endpoint. KEV does not list the vulnerability, indicating no known widespread exploitation at this time. The likely vector is a simple HTTP request to \/system\/cron from an external attacker, which can harvest the hash, enumerate server details, and exhaust resources by looping background tasks.

Generated by OpenCVE AI on April 21, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.213 or later to eliminate the insecure hashing and add request throttling.
  • Restrict remote access to the \/system\/cron endpoint using firewall rules or web‑server configuration until the upgrade can be applied.
  • Sanitize application logs so the APP_KEY and MD5 hash are not recorded, and review logging settings to prevent credential exposure.

Generated by OpenCVE AI on April 21, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 21 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.
Title FreeScout has Authentication Bypass and Information Disclosure in SystemController via /system/cron
Weaknesses CWE-200
CWE-284
CWE-770
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:20:23.159Z

Reserved: 2026-04-13T19:50:42.115Z

Link: CVE-2026-40498

cve-icon Vulnrichment

Updated: 2026-04-21T19:20:19.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T16:16:20.240

Modified: 2026-04-22T17:34:45.210

Link: CVE-2026-40498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:00:03Z

Weaknesses