{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27637", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.029Z", "datePublished": "2026-02-25T03:41:23.478Z", "dateUpdated": "2026-02-25T15:21:52.817Z"}, "containers": {"cna": {"title": "FreeScout's Predictable Authentication Token Enables Account Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "lang": "en", "description": "CWE-330: Use of Insufficiently Random Values", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"}, {"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.206", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:41:23.478Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities."}], "source": {"advisory": "GHSA-6gcm-v8xf-j9v9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "tags": ["exploit"]}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T15:21:46.046132Z", "id": "CVE-2026-27637", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:21:52.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27637", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T15:21:46.046132Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "tags": ["exploit"]}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:21:36.440Z"}}], "cna": {"title": "FreeScout's Predictable Authentication Token Enables Account Takeover", "source": {"advisory": "GHSA-6gcm-v8xf-j9v9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.206"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9", "name": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-330", "description": "CWE-330: Use of Insufficiently Random Values"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:41:23.478Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27637", "state": "PUBLISHED", "dateUpdated": "2026-02-25T15:21:52.817Z", "dateReserved": "2026-02-20T22:02:30.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T03:41:23.478Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CA8F5D-FF18-4F10-A6AF-3DBED9542088", "versionEndExcluding": "1.8.206", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities."}], "id": "CVE-2026-27637", "lastModified": "2026-02-26T16:08:44.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T04:16:04.110", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Not Applicable"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.206)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-17T15:28:09.619317+00:00", "value": {"mitigation_remediation": ["Upgrade to FreeScout 1.8.206 or later, where the predictable token issue is corrected.", "Protect the APP_KEY by storing it in secure configuration files, setting strict file permissions, and avoiding exposure in source control or logs.", "If the APP_KEY has already been compromised, rotate it immediately and restart the application; this will invalidate previously generated tokens and reduce the attack window."], "summary": {"action": "Immediate Patch", "impact": "Account takeover"}, "threat_synthesis": {"affected_systems": "All installations of the freescout-help-desk:freescout product that run a version earlier than 1.8.206 are affected. Versions 1.8.206 and later contain the fix and are not vulnerable.", "description_and_impact": "FreeScout\u2019s authentication middleware, TokenAuth, creates a static token by hashing the user ID, the account\u2019s creation timestamp, and the application\u2019s secret key (APP_KEY) using MD5. The token never expires or rotates, so the same value remains valid for all sessions. When an attacker obtains the APP_KEY\u2014often exposed through Laravel configuration mis\u2011management\u2014they can compute a valid token for any user, including administrators, without needing a password. This flaw enables a complete account takeover and can be combined with the related CVE-2026-27636 vulnerability.", "risk_and_exploitability": "The CVSS score of 9.8 places the vulnerability in the critical range, but the EPSS of less than 1% indicates a very low probability of active exploitation at present. The attack requires discovery of the APP_KEY, after which an attacker can forge a valid token and log in as any user by simply supplying that token. Because the tokens are long\u2011lived, the risk persists across all sessions until the application is updated or the key is securely rotated. The vulnerability is listed in no KEV catalog."}}}}, "created": "2026-02-25T11:34:46.211886+00:00", "updated": "2026-04-17T15:30:06.037201+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}