CVE-2026-40498 affects FreeScout help desk software versions before 1.8.213. An unauthenticated attacker can access restricted system and diagnostic endpoints, notably /system/cron, which relies on a static MD5 hash generated from the APP_KEY concatenated with 'web_cron_hash'. This hash is exposed in server responses and logs, making it accessible through GET requests in browser history and proxy logs. The vulnerability leads to exposure of sensitive server information such as full path disclosure and process IDs. Additionally, the lack of rate limiting on these endpoints allows attackers to repeatedly trigger resource-intensive background tasks, causing potential denial of service. The issue is fixed in version 1.8.213.

The vulnerability allows unauthenticated attackers to gain access to sensitive server information that should be restricted, including full path disclosures and process IDs. This exposure can aid further attacks or reconnaissance. The static hash mechanism and its exposure increase the risk of unauthorized access. Furthermore, the absence of rate limiting enables attackers to perform resource exhaustion attacks, potentially causing denial of service by overloading server resources. There are no known exploits in the wild as of the publication date.

Upgrade FreeScout to version 1.8.213 or later, where this vulnerability is fixed. The vendor has addressed the issue in this release. Until upgrading, restrict access to the /system/cron endpoint and monitor for unusual activity if possible. Patch status is not explicitly stated in the vendor advisory, but the version update is the official fix.