CVE-2026-40496: CWE-330: Use of Insufficiently Random Values in freescout-help-desk freescout
FreeScout versions prior to 1. 8. 213 use a weak and predictable method to generate attachment download tokens, allowing unauthenticated attackers to forge valid tokens and download private attachments without credentials. The vulnerability arises from the use of MD5 hashing over predictable inputs including a sequential attachment ID and a small range of file sizes. This issue is fixed in version 1. 8. 213.
AI Analysis
Technical Summary
FreeScout, a self-hosted help desk software, prior to version 1.8.213, generates attachment download tokens using the formula md5(APP_KEY + attachment_id + size). Because attachment_id values are sequential and size values can be brute-forced within a limited range, an attacker without authentication can predict and forge valid tokens to access private attachments. This represents a CWE-330 (Use of Insufficiently Random Values) and CWE-340 (Insufficiently Random Values) vulnerability. The issue is resolved in version 1.8.213.
Potential Impact
An unauthenticated attacker can bypass access controls to download any private attachment by forging valid download tokens. This compromises confidentiality of potentially sensitive data stored as attachments in FreeScout instances running vulnerable versions.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.213 or later, where the token generation method has been fixed to prevent token forgery. Patch status is not explicitly stated but the vendor has released version 1.8.213 to address this issue, so updating to this version is the recommended remediation.
CVE-2026-40496: CWE-330: Use of Insufficiently Random Values in freescout-help-desk freescout
Description
FreeScout versions prior to 1. 8. 213 use a weak and predictable method to generate attachment download tokens, allowing unauthenticated attackers to forge valid tokens and download private attachments without credentials. The vulnerability arises from the use of MD5 hashing over predictable inputs including a sequential attachment ID and a small range of file sizes. This issue is fixed in version 1. 8. 213.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FreeScout, a self-hosted help desk software, prior to version 1.8.213, generates attachment download tokens using the formula md5(APP_KEY + attachment_id + size). Because attachment_id values are sequential and size values can be brute-forced within a limited range, an attacker without authentication can predict and forge valid tokens to access private attachments. This represents a CWE-330 (Use of Insufficiently Random Values) and CWE-340 (Insufficiently Random Values) vulnerability. The issue is resolved in version 1.8.213.
Potential Impact
An unauthenticated attacker can bypass access controls to download any private attachment by forging valid download tokens. This compromises confidentiality of potentially sensitive data stored as attachments in FreeScout instances running vulnerable versions.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.213 or later, where the token generation method has been fixed to prevent token forgery. Patch status is not explicitly stated but the vendor has released version 1.8.213 to address this issue, so updating to this version is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.115Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6d6dd19fe3cd2cd64f73a
Added to database: 4/21/2026, 1:46:05 AM
Last enriched: 4/21/2026, 2:01:06 AM
Last updated: 4/21/2026, 4:01:24 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.