CVE-2026-27637
Predictable TokenAuth in FreeScout Allows Full Account Takeover
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.206 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in FreeScout prior to version 1.8.206 involves its TokenAuth middleware using a predictable authentication token. This token was computed as an MD5 hash of the user ID, creation timestamp, and the application's APP_KEY. Because the token never expires or rotates, if an attacker obtains the APP_KEYβa common exposure vector in Laravel applicationsβthey can generate a valid token for any user, including administrators. This allows the attacker to take over accounts without needing any passwords.
How can this vulnerability impact me? :
This vulnerability can lead to full account takeover without requiring any password. An attacker who obtains the APP_KEY can compute valid authentication tokens for any user, including administrators, thereby gaining unauthorized access to sensitive information and control over the FreeScout help desk system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the use of the vulnerable FreeScout versions prior to 1.8.206 and checking for the presence of predictable authentication tokens.
Since the vulnerable token is a static MD5 hash of user_id, created_at, and APP_KEY, you can look for authentication tokens in network traffic or logs that match this pattern.
Commands to help detect this might include searching web server logs or captured HTTP requests for tokens that appear as MD5 hashes or tokens that do not expire.
- Use grep or similar tools to search logs for suspicious tokens: grep -Eo '[a-f0-9]{32}' /var/log/nginx/access.log
- Monitor HTTP headers or cookies for authentication tokens that look like MD5 hashes.
- Check the FreeScout version installed by running: php artisan --version or checking the application metadata.
Note that the vulnerability requires knowledge of the APP_KEY, so detection may also involve auditing the security of the APP_KEY and ensuring it is not exposed.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FreeScout to version 1.8.206 or later, where the vulnerability is fixed by implementing a more secure token format with expiry and HMAC SHA-256 protection.
If immediate upgrade is not possible, consider the following steps:
- Rotate the APP_KEY to prevent attackers from computing valid tokens.
- Audit and secure the APP_KEY to ensure it is not exposed in source code repositories, configuration files, or error messages.
- Invalidate existing tokens by forcing password resets or clearing token caches, since the new token format ties tokens to user passwords.
- Monitor authentication logs for suspicious activity indicating token misuse or account takeover attempts.
Overall, upgrading to the fixed version is the most effective and recommended mitigation.