Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.
Published: 2026-05-07
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the /user-setup/{hash} endpoint of the FreeScout help desk system. It allows a 60‑character random invitation hash to set a new user’s password without performing any expiration check. The hash remains valid indefinitely until it is used. This missing expiration logic is a manifestation of CWE‑613, Insecure Direct Object Reference. An attacker who obtains a leaked invitation link can create or recover an account at any time after the invitation has been issued, resulting in a permanent takeover. If the invitation was sent to an administrative user, the attacker gains full admin privileges. The impact is a complete compromise of confidentiality and integrity for the affected account and potentially the entire system. Availability is not directly affected, though an attacker could also use the account create arbitrary traffic or alter tickets.

Affected Systems

All installations of FreeScout (freescout-help-desk:freescout) running a version earlier than 1.8.217 are affected. The vulnerability was fixed in the 1.8.217 release. No other FreeScout versions are known to have this issue.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity rating for remote, unauthenticated exploitation. The EPSS score is not available, but the absence of an expiration means that once a hash is leaked, it remains useful for an unlimited period, increasing the practical exploitation window. The vulnerability is not listed in the CISA KEV catalog, though it poses a significant risk in environments where invitation links can be communicated outside the ecosystem. An attacker requires only knowledge of a valid hash, which can arise from email leakage, referrer leakage, server logs or abandoned invites.

Generated by OpenCVE AI on May 7, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeScout version 1.8.217 or newer
  • Delete or revoke any unused invitation links that may have been generated prior to the patch
  • Configure email and web settings to prevent outbound URL leaks (e.g., set referrer‑policy, avoid CDN usage on the setup page)

Generated by OpenCVE AI on May 7, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.
Title FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T18:03:50.599Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41902

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T19:16:00.807

Modified: 2026-05-07T19:51:36.220

Link: CVE-2026-41902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:30:15Z

Weaknesses