CVE-2026-41902
Invite Hash-Based Account Takeover in FreeScout
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.217 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows permanent unauthenticated account takeover due to leaked invite hashes that never expire. Such unauthorized access can lead to exposure and modification of sensitive user data, including admin-level privileges.
Because the vulnerability compromises confidentiality and integrity of user accounts without requiring authentication or user interaction, it poses significant risks to compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.
Failure to patch this issue could result in unauthorized data access or modification, potentially leading to regulatory violations, data breaches, and associated legal and financial consequences.
Can you explain this vulnerability to me?
CVE-2026-41902 is a critical vulnerability in FreeScout Help Desk versions prior to 1.8.217. It occurs because the /user-setup/{hash} endpoint accepts a 60-character invite hash that never expires. This means the invite hash remains valid indefinitely until it is used.
If an attacker obtains this invite hashβthrough leaked invite emails, HTTP referrer headers sent to external CDNs, server logs, or abandoned emails in shared inboxesβthey can use it to set a new password for the associated user account without authentication.
This allows permanent account takeover, including admin accounts if the leaked invite was sent to an admin user. The root cause is that the system only checks if the hash exists but does not verify if it has expired or limit its usage.
How can this vulnerability impact me? :
This vulnerability can lead to permanent, unauthenticated takeover of user accounts in FreeScout Help Desk. An attacker who obtains a leaked invite hash can reset the password and gain full access to the victim's account.
If the compromised account has administrative privileges, the attacker gains full admin access, potentially allowing them to control the entire help desk system, access sensitive data, and manipulate user permissions.
Because the invite hash never expires, the risk remains indefinitely, increasing the window of opportunity for attackers to exploit leaked hashes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for usage or presence of the /user-setup/{hash} endpoint with a 60-character invite_hash that does not expire. Detection involves identifying requests to this endpoint that use invite hashes which have not been invalidated or expired.
You can search server logs or network traffic for HTTP requests matching the pattern /user-setup/{hash} where the hash is 60 characters long. Look for repeated or unusual access to this endpoint, especially from unauthenticated sources.
Example commands to detect such activity might include:
- Using grep on web server logs to find access to the vulnerable endpoint: grep -E "/user-setup/[a-zA-Z0-9]{60}" /var/log/nginx/access.log
- Using tcpdump or Wireshark to filter HTTP requests to the /user-setup/ endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/user-setup/"
Additionally, review server-side logs for any exposure of invite hashes in referrer headers or error logs, as these can indicate leakage.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeScout to version 1.8.217 or later, where the vulnerability has been patched.
The patch introduces an expiration mechanism for invite hashes, enforcing a 7-day time-to-live (TTL) and ensuring that invite hashes are only valid if their state is "sent".
Until the upgrade can be applied, consider invalidating all outstanding invite hashes manually if possible, and monitor for suspicious activity on the /user-setup/{hash} endpoint.
Also, review and secure email forwarding and server logs to prevent leakage of invite hashes.