CVE-2026-27637
Received Received - Intake
Predictable TokenAuth in FreeScout Allows Full Account Takeover

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` β€” a well-documented and common exposure vector in Laravel applications β€” they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27637
EUVD
EUVD-2026-8611
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.206 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in FreeScout prior to version 1.8.206 involves its TokenAuth middleware using a predictable authentication token. This token was computed as an MD5 hash of the user ID, creation timestamp, and the application's APP_KEY. Because the token never expires or rotates, if an attacker obtains the APP_KEYβ€”a common exposure vector in Laravel applicationsβ€”they can generate a valid token for any user, including administrators. This allows the attacker to take over accounts without needing any passwords.

Impact Analysis

This vulnerability can lead to full account takeover without requiring any password. An attacker who obtains the APP_KEY can compute valid authentication tokens for any user, including administrators, thereby gaining unauthorized access to sensitive information and control over the FreeScout help desk system.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying the use of the vulnerable FreeScout versions prior to 1.8.206 and checking for the presence of predictable authentication tokens.

Since the vulnerable token is a static MD5 hash of user_id, created_at, and APP_KEY, you can look for authentication tokens in network traffic or logs that match this pattern.

Commands to help detect this might include searching web server logs or captured HTTP requests for tokens that appear as MD5 hashes or tokens that do not expire.

  • Use grep or similar tools to search logs for suspicious tokens: grep -Eo '[a-f0-9]{32}' /var/log/nginx/access.log
  • Monitor HTTP headers or cookies for authentication tokens that look like MD5 hashes.
  • Check the FreeScout version installed by running: php artisan --version or checking the application metadata.

Note that the vulnerability requires knowledge of the APP_KEY, so detection may also involve auditing the security of the APP_KEY and ensuring it is not exposed.

Mitigation Strategies

The primary mitigation step is to upgrade FreeScout to version 1.8.206 or later, where the vulnerability is fixed by implementing a more secure token format with expiry and HMAC SHA-256 protection.

If immediate upgrade is not possible, consider the following steps:

  • Rotate the APP_KEY to prevent attackers from computing valid tokens.
  • Audit and secure the APP_KEY to ensure it is not exposed in source code repositories, configuration files, or error messages.
  • Invalidate existing tokens by forcing password resets or clearing token caches, since the new token format ties tokens to user passwords.
  • Monitor authentication logs for suspicious activity indicating token misuse or account takeover attempts.

Overall, upgrading to the fixed version is the most effective and recommended mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27637. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart