Skip to main content

FreeScout CVE-2026-41902

| EUVDEUVD-2026-28405 CRITICAL
Insufficient Session Expiration (CWE-613)
2026-05-07 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
May 07, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 19:45 vuln.today
Analysis Generated
May 07, 2026 - 19:45 vuln.today
CVE Published
May 07, 2026 - 18:03 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check - the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.

AnalysisAI

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access to user accounts, including admin accounts, via non-expiring invite tokens. The /user-setup/{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.

Technical ContextAI

FreeScout is a PHP Laravel-based help desk and shared inbox application (CPE: cpe:2.3:a:freescout-help-desk:freescout). The vulnerability exploits CWE-613 (Insufficient Session Expiration) in the user invitation flow. When administrators create user accounts, the system generates a 60-character cryptographically random invite_hash token and emails a setup link containing this hash to the new user. The /user-setup/{hash} endpoint validates the hash against stored invite records but performs no timestamp check or expiration logic. The token remains valid in the database indefinitely until a password is set, treating the invite as a permanent bearer credential rather than a time-limited one-time password reset mechanism. This design flaw converts what should be ephemeral onboarding credentials into persistent account takeover vectors. The Laravel framework provides session management primitives but application-layer expiration logic must be explicitly implemented by developers. The 1.8.217 patch introduces a 7-day TTL on invite tokens, aligning with OWASP recommendations for password reset and invitation link lifetimes.

RemediationAI

Upgrade to FreeScout version 1.8.217 or later immediately. The patch implements a 7-day expiration window for user invite links as confirmed in the release notes: 'Make user invite link expirable after 7 days' (Security: GHSA-hqff-cwx7-3jpm). Download the patched version from the official GitHub release page at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 and follow the standard FreeScout upgrade procedure documented in the project wiki. After upgrading, audit user accounts for unexpected password changes or access patterns that may indicate prior exploitation. Revoke and regenerate invite links for any pending user setups issued before the patch. If immediate patching is not possible, implement network-level access controls to restrict /user-setup/* endpoints to trusted IP ranges or internal networks only via nginx/Apache rewrite rules or Web Application Firewall policies (trade-off: legitimate remote users cannot complete setup). Alternatively, temporarily disable new user invitation functionality and use manual password reset flows via direct database manipulation (trade-off: breaks normal onboarding workflow, requires database access). Review web server access logs and application logs for suspicious /user-setup/ endpoint access with old timestamps to identify potential historical compromise. All workarounds impose significant operational overhead; patching is the only complete remediation.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

CVE-2026-40496 HIGH
8.8 Apr 21

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attach

Share

CVE-2026-41902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy