CVE-2026-27636
Remote Code Execution via .htaccess Upload in FreeScout
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.206 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27636 is a critical remote code execution vulnerability in FreeScout versions prior to 1.8.206. The issue arises because FreeScout's file upload restriction list does not block the upload of .htaccess or .user.ini files. On Apache servers configured with AllowOverride All, an authenticated user can upload a .htaccess file to redefine how files are processed by the server."}, {'type': 'paragraph', 'content': 'By uploading a specially crafted .htaccess file, an attacker can instruct the server to treat certain file types (e.g., .txt) as executable PHP scripts. Then, by uploading a file containing PHP code with system commands, the attacker can execute arbitrary commands on the server with the privileges of the web server user.'}, {'type': 'paragraph', 'content': 'This vulnerability can be exploited alone by any authenticated user or combined with other vulnerabilities (such as CVE-2026-27637) to escalate privileges or gain remote code execution.'}] [3]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to execute arbitrary system commands on the server hosting FreeScout. The attacker can upload files that change server behavior and execute malicious code.
- Execute arbitrary system commands as the web server user.
- Read and write files on the server, potentially accessing sensitive data.
- Pivot to internal networks or exfiltrate sensitive information such as database credentials.
- When combined with other vulnerabilities, attackers can gain full administrative access and further compromise the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of uploaded .htaccess or .user.ini files in FreeScout installations prior to version 1.8.206, especially on Apache servers with AllowOverride All enabled.'}, {'type': 'paragraph', 'content': 'Additionally, detection can involve verifying if the TokenAuth middleware is using a predictable static authentication token based on MD5 hashes of user_id, created_at, and APP_KEY, which never expires or rotates.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts or presence of malicious files include:'}, {'type': 'list_item', 'content': 'Search for .htaccess or .user.ini files uploaded in user directories or conversation attachments: `find /path/to/freescout/storage/app/attachment -name ".htaccess" -o -name ".user.ini"`'}, {'type': 'list_item', 'content': 'Check web server logs for unusual requests accessing .txt files with query parameters that might indicate command execution attempts, e.g.: `grep ".txt?cmd=" /var/log/apache2/access.log`'}, {'type': 'list_item', 'content': 'Monitor HTTP requests containing the auth_token parameter and in_app cookie to detect possible token-based authentication bypass attempts, for example by inspecting web server logs or using a network capture tool like tcpdump or Wireshark.'}, {'type': 'list_item', 'content': 'Example curl command to test if the vulnerability is present (do not run on unauthorized systems): `curl -b \'in_app=1\' "https://target.com/conversations?auth_token=TOKEN"` where TOKEN is computed as md5("1" + CREATED_AT + APP_KEY).'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.206 or later, where the vulnerability has been fixed.
Additional mitigation steps include:
- Ensure that the file upload restriction list in app/Misc/Helper.php includes .htaccess, .user.ini, and other potentially dangerous extensions to prevent uploading of files that can alter server behavior.
- Review and secure the Laravel APP_KEY to prevent its exposure through misconfigurations such as .env file leaks, debug mode, backup leaks, or git history.
- Implement rate limiting and monitoring on authentication attempts to reduce the risk of token guessing attacks.
- Restrict Apache server configuration by limiting AllowOverride directives where possible to reduce the impact of malicious .htaccess files.
- Audit and remove any suspicious .htaccess or .user.ini files that may have been uploaded prior to patching.