CRITICAL🇵🇱 Wersja polska

CVE-2026-27637

CVSS 9.8v3.1pub. 2026-02-25upd. 2026-02-26

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.

🤖 AI Analysis
How it works

The `TokenAuth` middleware calculates the authentication token as MD5 of the concatenation of the user identifier, user creation date, and the application key APP_KEY. The token is static — it never expires or is rotated. The APP_KEY in applications based on the Laravel framework is a well-documented information disclosure vector (e.g., through exposed configuration files). With access to APP_KEY, an attacker can independently calculate the correct token for any user and authenticate without providing a password. The vulnerability can be exploited independently or in combination with CVE-2026-27636.

Impact

An attacker can take full control of any FreeScout user account, including administrator accounts, without knowing the password, leading to breach of confidentiality, integrity, and availability of helpdesk data.

Mitigation & patch

FreeScout should be updated to version 1.8.206, which eliminates this vulnerability. Additionally, it is recommended to rotate the APP_KEY and invalidate existing authentication tokens.

Who is affected

FreeScout versions prior to 1.8.206

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Freescout

    APP
    Freescout
    < 1.8.206
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-32754CRITICAL9.3PL ✓ten sam produkt

FreeScout: Stored XSS w szablonach powiadomień e-mail umożliwia przejęcie kont

CVE-2026-28289CRITICAL10.0PL ✓ten sam produkt

FreeScout: bypass zabezpieczeń uploadu pliku prowadzący do RCE

CVE-2024-29185CRITICAL9.0PL ✓ten sam produkt

FreeScout: OS Command Injection umożliwiający przejęcie serwera

CVE-2026-40496HIGH8.8ten sam produkt

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download to...

CVE-2026-40497HIGH8.1ten sam produkt

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::s...