CVE-2026-27636
Received Received - Intake
Remote Code Execution via .htaccess Upload in FreeScout

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27636
EUVD
EUVD-2026-8612
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.206 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27636 is a critical remote code execution vulnerability in FreeScout versions prior to 1.8.206. The issue arises because FreeScout's file upload restriction list does not block the upload of .htaccess or .user.ini files. On Apache servers configured with AllowOverride All, an authenticated user can upload a .htaccess file to redefine how files are processed by the server."}, {'type': 'paragraph', 'content': 'By uploading a specially crafted .htaccess file, an attacker can instruct the server to treat certain file types (e.g., .txt) as executable PHP scripts. Then, by uploading a file containing PHP code with system commands, the attacker can execute arbitrary commands on the server with the privileges of the web server user.'}, {'type': 'paragraph', 'content': 'This vulnerability can be exploited alone by any authenticated user or combined with other vulnerabilities (such as CVE-2026-27637) to escalate privileges or gain remote code execution.'}] [3]

Impact Analysis

This vulnerability allows any authenticated user to execute arbitrary system commands on the server hosting FreeScout. The attacker can upload files that change server behavior and execute malicious code.

  • Execute arbitrary system commands as the web server user.
  • Read and write files on the server, potentially accessing sensitive data.
  • Pivot to internal networks or exfiltrate sensitive information such as database credentials.
  • When combined with other vulnerabilities, attackers can gain full administrative access and further compromise the server.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of uploaded .htaccess or .user.ini files in FreeScout installations prior to version 1.8.206, especially on Apache servers with AllowOverride All enabled.'}, {'type': 'paragraph', 'content': 'Additionally, detection can involve verifying if the TokenAuth middleware is using a predictable static authentication token based on MD5 hashes of user_id, created_at, and APP_KEY, which never expires or rotates.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts or presence of malicious files include:'}, {'type': 'list_item', 'content': 'Search for .htaccess or .user.ini files uploaded in user directories or conversation attachments: `find /path/to/freescout/storage/app/attachment -name ".htaccess" -o -name ".user.ini"`'}, {'type': 'list_item', 'content': 'Check web server logs for unusual requests accessing .txt files with query parameters that might indicate command execution attempts, e.g.: `grep ".txt?cmd=" /var/log/apache2/access.log`'}, {'type': 'list_item', 'content': 'Monitor HTTP requests containing the auth_token parameter and in_app cookie to detect possible token-based authentication bypass attempts, for example by inspecting web server logs or using a network capture tool like tcpdump or Wireshark.'}, {'type': 'list_item', 'content': 'Example curl command to test if the vulnerability is present (do not run on unauthorized systems): `curl -b \'in_app=1\' "https://target.com/conversations?auth_token=TOKEN"` where TOKEN is computed as md5("1" + CREATED_AT + APP_KEY).'}] [1, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.206 or later, where the vulnerability has been fixed.

Additional mitigation steps include:

  • Ensure that the file upload restriction list in app/Misc/Helper.php includes .htaccess, .user.ini, and other potentially dangerous extensions to prevent uploading of files that can alter server behavior.
  • Review and secure the Laravel APP_KEY to prevent its exposure through misconfigurations such as .env file leaks, debug mode, backup leaks, or git history.
  • Implement rate limiting and monitoring on authentication attempts to reduce the risk of token guessing attacks.
  • Restrict Apache server configuration by limiting AllowOverride directives where possible to reduce the impact of malicious .htaccess files.
  • Audit and remove any suspicious .htaccess or .user.ini files that may have been uploaded prior to patching.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart