Skip to main content

FreeScout CVE-2026-40498

| EUVDEUVD-2026-24137 HIGH
Information Exposure (CWE-200)
2026-04-21 GitHub_M
8.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 22, 2026 - 17:34 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 20:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 16:31 EUVD
Analysis Generated
Apr 21, 2026 - 16:31 vuln.today
CVSS changed
Apr 21, 2026 - 16:22 NVD
8.9 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 15:30 euvd
EUVD-2026-24137
Analysis Generated
Apr 21, 2026 - 15:30 vuln.today
CVE Published
Apr 21, 2026 - 15:01 nvd
HIGH 8.9

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.

AnalysisAI

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.

Technical ContextAI

FreeScout is an open-source PHP-based help desk application that implements a web-accessible cron endpoint (/system/cron) for scheduled task execution. The vulnerability stems from authentication bypass (CWE-200: Information Exposure) where access control relies solely on a static token generated via md5(APP_KEY . 'web_cron_hash'). The APP_KEY, intended as a secret Laravel framework configuration value, becomes exposed through HTTP responses and server logs. Because the hash is transmitted via GET parameters, it persists in browser history, reverse proxy logs, and web server access logs. The MD5 algorithm's cryptographic weakness, combined with the static nature of the hash and lack of rate limiting, enables both brute-force attacks and replay attacks. The affected CPE (cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:*) indicates all versions before the 1.8.213 patch are vulnerable.

RemediationAI

Immediately upgrade to FreeScout version 1.8.213 or later, as confirmed in the release notes at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The patch commit (https://github.com/freescout-help-desk/freescout/commit/b1d6c2c601a6ec3626ab13e679607b5084dfbd38) implements proper authentication and rate limiting on diagnostic endpoints. For installations where immediate patching is not feasible, implement network-level access controls: restrict /system/cron and other /system/* paths to localhost-only access via web server configuration (nginx location block or Apache .htaccess directives), though this will break legitimate external cron job triggers that rely on web-based scheduling. Alternatively, deploy a web application firewall rule blocking unauthenticated requests to /system/* paths, but this may interfere with legitimate administrative workflows. Rotate the APP_KEY environment variable after patching to invalidate any previously exposed hashes, though this requires updating all application configurations and may disrupt active sessions. Monitor web server logs for suspicious GET requests to /system/cron with hash parameters as indicators of reconnaissance or exploitation attempts. Note that network restrictions will prevent legitimate external monitoring tools from accessing diagnostic endpoints.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40496 HIGH
8.8 Apr 21

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attach

Share

CVE-2026-40498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy