FKIE_CVE-2026-27637

Vulnerability from fkie_nvd - Published: 2026-02-25 04:16 - Updated: 2026-02-26 16:08
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
References
security-advisories@github.comhttps://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9Patch
security-advisories@github.comhttps://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9Exploit, Vendor Advisory
security-advisories@github.comhttps://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vcNot Applicable
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vcNot Applicable
Impacted products
Vendor Product Version
freescout freescout *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "79CA8F5D-FF18-4F10-A6AF-3DBED9542088",
              "versionEndExcluding": "1.8.206",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to version 1.8.206, FreeScout\u0027s `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities."
    },
    {
      "lang": "es",
      "value": "FreeScout es un servicio de asistencia t\u00e9cnica gratuito y un buz\u00f3n compartido creado con el marco Laravel de PHP. Antes de la versi\u00f3n 1.8.206, el middleware \u0027TokenAuth\u0027 de FreeScout utiliza un token de autenticaci\u00f3n predecible calculado como \u0027MD5(user_id + created_at + APP_KEY)\u0027. Este token es est\u00e1tico (nunca expira/rota), y si un atacante obtiene la \u0027APP_KEY\u0027 \u2014 un vector de exposici\u00f3n bien documentado y com\u00fan en aplicaciones Laravel \u2014 pueden calcular un token v\u00e1lido para cualquier usuario, incluido el administrador, logrando una toma de control total de la cuenta sin ninguna contrase\u00f1a. Esta vulnerabilidad puede ser explotada por s\u00ed misma o en combinaci\u00f3n con CVE-2026-27636. La versi\u00f3n 1.8.206 corrige ambas vulnerabilidades."
    }
  ],
  "id": "CVE-2026-27637",
  "lastModified": "2026-02-26T16:08:44.857",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T04:16:04.110",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-330"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.