{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40496", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.115Z", "datePublished": "2026-04-21T01:38:50.117Z", "dateUpdated": "2026-04-21T13:50:39.454Z"}, "containers": {"cna": {"title": "FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force", "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "lang": "en", "description": "CWE-330: Use of Insufficiently Random Values", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-340", "lang": "en", "description": "CWE-340: Generation of Predictable Numbers or Identifiers", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.213", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:38:50.117Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue."}], "source": {"advisory": "GHSA-2783-wxmm-wmwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:50:26.236611Z", "id": "CVE-2026-40496", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:50:39.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40496", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T13:50:26.236611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:50:31.591Z"}}], "cna": {"title": "FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force", "source": {"advisory": "GHSA-2783-wxmm-wmwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.213"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555", "name": "https://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-330", "description": "CWE-330: Use of Insufficiently Random Values"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-340", "description": "CWE-340: Generation of Predictable Numbers or Identifiers"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:38:50.117Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40496", "state": "PUBLISHED", "dateUpdated": "2026-04-21T13:50:39.454Z", "dateReserved": "2026-04-13T19:50:42.115Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T01:38:50.117Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA97ED0A-4886-4583-9D20-47BE39C40B01", "versionEndExcluding": "1.8.213", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue."}], "id": "CVE-2026-40496", "lastModified": "2026-04-23T16:32:59.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T02:16:08.350", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}, {"lang": "en", "value": "CWE-340"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.213)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-21T15:29:54.687428+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.213 or newer to replace the predictable token algorithm", "If immediate upgrade is not possible, restrict access to the attachment download URL by requiring authentication or firewall rules to limit exposure", "Monitor server logs for repeated token lookup attempts or unusually high numbers of private attachment downloads to detect exploitation attempts"], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Private Attachment Download"}, "threat_synthesis": {"affected_systems": "FreeScout, a self\u2011hosted help\u2011desk and shared\u2011mailbox solution. Versions prior to 1.8.213 are affected. The issue occurs in the attachment download endpoint where the token is generated and validated. Users running older releases of the freescout-help-desk:freescout product are at risk, regardless of public or private ticket visibility.", "description_and_impact": "The vulnerability in FreeScout arises from a weak and predictable attachment\u2011token generation formula, md5(APP_KEY + attachment_id + size). Because attachment identifiers are sequential and the size parameter can be guessed within a small range, an attacker can fabricate valid tokens without authentication and retrieve any private attachment. This defect enables the unauthorized download of confidential documents, compromising confidentiality and potentially exposing sensitive business information. The weakness maps to CWE\u2011330 and CWE\u2011340, reflecting insecure random number generation and storage of predictable secrets.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the flaw as high severity. EPSS data is not available, so the likelihood of exploitation cannot be quantified from public data, but the simple brute\u2011force nature of the attack means a knowledgeable attacker can quickly enumerate attachment tokens. The vulnerability is not reported in CISA\u2019s KEV catalog, but the straightforward attack path \u2013 sequential IDs, low\u2011range size \u2013 makes it a high\u2011impact concern for any system exposing private attachments. Attackers would request tokens via enumeration and download files directly, bypassing all authentication checks."}}}}, "created": "2026-04-21T02:30:25.668376+00:00", "updated": "2026-04-21T15:37:55.177130+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}