CVE-2026-27637 (GCVE-0-2026-27637)

Vulnerability from cvelistv5 – Published: 2026-02-25 03:41 – Updated: 2026-02-25 15:21
VLAI
Title
FreeScout's Predictable Authentication Token Enables Account Takeover
Summary
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
Impacted products
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27637",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T15:21:46.046132Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T15:21:52.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "freescout",
          "vendor": "freescout-help-desk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.206"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to version 1.8.206, FreeScout\u0027s `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T03:41:23.478Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9"
        },
        {
          "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc"
        },
        {
          "name": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9"
        }
      ],
      "source": {
        "advisory": "GHSA-6gcm-v8xf-j9v9",
        "discovery": "UNKNOWN"
      },
      "title": "FreeScout\u0027s Predictable Authentication Token Enables Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27637",
    "datePublished": "2026-02-25T03:41:23.478Z",
    "dateReserved": "2026-02-20T22:02:30.029Z",
    "dateUpdated": "2026-02-25T15:21:52.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-27637",
      "date": "2026-06-29",
      "epss": "0.00668",
      "percentile": "0.47252"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27637\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T04:16:04.110\",\"lastModified\":\"2026-06-17T10:27:26.093\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to version 1.8.206, FreeScout\u0027s `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.\"},{\"lang\":\"es\",\"value\":\"FreeScout es un servicio de asistencia t\u00e9cnica gratuito y un buz\u00f3n compartido creado con el marco Laravel de PHP. Antes de la versi\u00f3n 1.8.206, el middleware \u0027TokenAuth\u0027 de FreeScout utiliza un token de autenticaci\u00f3n predecible calculado como \u0027MD5(user_id + created_at + APP_KEY)\u0027. Este token es est\u00e1tico (nunca expira/rota), y si un atacante obtiene la \u0027APP_KEY\u0027 \u2014 un vector de exposici\u00f3n bien documentado y com\u00fan en aplicaciones Laravel \u2014 pueden calcular un token v\u00e1lido para cualquier usuario, incluido el administrador, logrando una toma de control total de la cuenta sin ninguna contrase\u00f1a. Esta vulnerabilidad puede ser explotada por s\u00ed misma o en combinaci\u00f3n con CVE-2026-27636. La versi\u00f3n 1.8.206 corrige ambas vulnerabilidades.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"freescout-help-desk\",\"product\":\"freescout\",\"versions\":[{\"version\":\"\u003c 1.8.206\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-25T15:21:46.046132Z\",\"id\":\"CVE-2026-27637\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.8.206\",\"matchCriteriaId\":\"79CA8F5D-FF18-4F10-A6AF-3DBED9542088\"}]}]}],\"references\":[{\"url\":\"https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Not Applicable\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27637\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-25T15:21:46.046132Z\"}}}], \"references\": [{\"url\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-25T15:21:36.440Z\"}}], \"cna\": {\"title\": \"FreeScout\u0027s Predictable Authentication Token Enables Account Takeover\", \"source\": {\"advisory\": \"GHSA-6gcm-v8xf-j9v9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"freescout-help-desk\", \"product\": \"freescout\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.206\"}]}], \"references\": [{\"url\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9\", \"name\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc\", \"name\": \"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9\", \"name\": \"https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to version 1.8.206, FreeScout\u0027s `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \\u2014 a well-documented and common exposure vector in Laravel applications \\u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-330\", \"description\": \"CWE-330: Use of Insufficiently Random Values\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T03:41:23.478Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27637\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-25T15:21:52.817Z\", \"dateReserved\": \"2026-02-20T22:02:30.029Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T03:41:23.478Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.