CVE-2026-40496: CWE-330: Use of Insufficiently Random Values in freescout-help-desk freescout
FreeScout versions prior to 1. 8. 213 use a weak and predictable method to generate attachment download tokens, allowing unauthenticated attackers to forge valid tokens and download private attachments. The tokens are generated using md5 hashing of a concatenation of APP_KEY, a sequential attachment_id, and a size value that can be brute-forced. This vulnerability is fixed in version 1. 8. 213.
AI Analysis
Technical Summary
The vulnerability in FreeScout (CVE-2026-40496) arises from the use of insufficiently random values to generate attachment download tokens. Specifically, tokens are created using md5(APP_KEY + attachment_id + size), where attachment_id is sequential and size can be brute-forced within a limited range. This weak token generation allows unauthenticated attackers to forge valid tokens and access private attachments without credentials. The issue is addressed in FreeScout version 1.8.213.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to download any private attachment from affected FreeScout instances, potentially leading to unauthorized data disclosure. The CVSS 4.0 score is 8.8 (high severity), indicating a significant risk due to network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.213 or later, where the token generation method has been fixed to prevent token forgery. Patch status is not explicitly stated in a vendor advisory, but the version update is the official fix. Until upgraded, restrict access to the FreeScout instance and monitor for suspicious activity related to attachment downloads.
CVE-2026-40496: CWE-330: Use of Insufficiently Random Values in freescout-help-desk freescout
Description
FreeScout versions prior to 1. 8. 213 use a weak and predictable method to generate attachment download tokens, allowing unauthenticated attackers to forge valid tokens and download private attachments. The tokens are generated using md5 hashing of a concatenation of APP_KEY, a sequential attachment_id, and a size value that can be brute-forced. This vulnerability is fixed in version 1. 8. 213.
CVSS v4.0
Score 8.8high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in FreeScout (CVE-2026-40496) arises from the use of insufficiently random values to generate attachment download tokens. Specifically, tokens are created using md5(APP_KEY + attachment_id + size), where attachment_id is sequential and size can be brute-forced within a limited range. This weak token generation allows unauthenticated attackers to forge valid tokens and access private attachments without credentials. The issue is addressed in FreeScout version 1.8.213.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to download any private attachment from affected FreeScout instances, potentially leading to unauthorized data disclosure. The CVSS 4.0 score is 8.8 (high severity), indicating a significant risk due to network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.213 or later, where the token generation method has been fixed to prevent token forgery. Patch status is not explicitly stated in a vendor advisory, but the version update is the official fix. Until upgraded, restrict access to the FreeScout instance and monitor for suspicious activity related to attachment downloads.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.115Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6d6dd19fe3cd2cd64f73a
Added to database: 4/21/2026, 1:46:05 AM
Last enriched: 4/28/2026, 6:06:08 AM
Last updated: 6/2/2026, 10:30:25 PM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.