Skip to main content

Freescout CVE-2026-40496

| EUVDEUVD-2026-24049 HIGH
Use of Insufficiently Random Values (CWE-330)
2026-04-21 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 23, 2026 - 16:32 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 04:29 vuln.today
Patch available
Apr 21, 2026 - 03:01 EUVD
CVSS changed
Apr 21, 2026 - 02:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 02:00 euvd
EUVD-2026-24049
Analysis Generated
Apr 21, 2026 - 02:00 vuln.today
CVE Published
Apr 21, 2026 - 01:38 nvd
HIGH 8.8

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: md5(APP_KEY + attachment_id + size). Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.

AnalysisAI

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.

Technical ContextAI

FreeScout is a self-hosted open-source help desk and shared mailbox system built on PHP/Laravel. The vulnerability exists in the attachment access control mechanism which generates download authorization tokens using MD5(APP_KEY + attachment_id + size). This falls under CWE-330 (Use of Insufficiently Random Values) because the token generation relies on predictable inputs: attachment_id values are sequential integers assigned to database records, file sizes occupy a narrow numeric range (typically bytes to megabytes), and APP_KEY is a Laravel application secret that remains constant per installation. MD5 is a fast cryptographic hash, enabling rapid brute-force attempts. An attacker can iterate through sequential attachment_id values combined with common file sizes to generate candidate tokens and systematically harvest all attachments stored in the system. The affected product per CPE is cpe:2.3:a:freescout-help-desk:freescout for all versions prior to 1.8.213.

RemediationAI

Immediate upgrade to FreeScout version 1.8.213 or later is the primary remediation, available from https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The fix implemented in commit dbdf8f2260b43a21818255c70f0b61b9de9cd555 replaces the weak token formula with cryptographically secure random token generation. For organizations unable to immediately upgrade, implement compensating controls: restrict network access to FreeScout web interface to authenticated VPN users only (eliminates unauthenticated remote attack vector but prevents external customer access), deploy web application firewall rules to rate-limit /download or attachment endpoint requests (slows enumeration attacks but determined attackers can still succeed over time), or temporarily disable attachment features if operationally feasible (breaks core help desk functionality). All compensating controls have significant operational trade-offs and should be considered temporary measures only. Post-upgrade, audit server logs for suspicious sequential attachment download patterns from single IPs to identify potential prior exploitation. Rotate APP_KEY after patching if logs indicate compromise, as existing tokens generated with old formula may remain valid in user sessions. Review all attachments accessed during the vulnerability window for unauthorized disclosure of sensitive data.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-40496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy