CVE-2026-41902: CWE-613: Insufficient Session Expiration in freescout-help-desk freescout
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.
AI Analysis
Technical Summary
CVE-2026-41902 is a critical vulnerability in FreeScout (before version 1.8.217) where the /user-setup/{hash} endpoint uses a 60-character invite_hash to allow new users to set passwords. The invite_hash does not expire, enabling attackers who obtain the hash through various leak scenarios (such as forwarded emails, HTTP referrers, server logs, or abandoned invites) to perform permanent account takeover without authentication. This can lead to full compromise of user accounts, including administrative accounts if the leaked invite belongs to an admin. The vulnerability is classified as CWE-613 (Insufficient Session Expiration).
Potential Impact
An attacker who obtains a leaked invite_hash can permanently take over the associated user account without authentication. If the invite belongs to an administrator, the attacker gains full administrative access to the FreeScout instance. This compromises confidentiality and integrity of the system but does not affect availability. The CVSS v3.1 score is 9.1 (critical), reflecting the ease of exploitation and high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability has been patched in FreeScout version 1.8.217. Users should upgrade to version 1.8.217 or later to remediate this issue. No other mitigation or temporary workaround is indicated. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix in 1.8.217.
CVE-2026-41902: CWE-613: Insufficient Session Expiration in freescout-help-desk freescout
Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41902 is a critical vulnerability in FreeScout (before version 1.8.217) where the /user-setup/{hash} endpoint uses a 60-character invite_hash to allow new users to set passwords. The invite_hash does not expire, enabling attackers who obtain the hash through various leak scenarios (such as forwarded emails, HTTP referrers, server logs, or abandoned invites) to perform permanent account takeover without authentication. This can lead to full compromise of user accounts, including administrative accounts if the leaked invite belongs to an admin. The vulnerability is classified as CWE-613 (Insufficient Session Expiration).
Potential Impact
An attacker who obtains a leaked invite_hash can permanently take over the associated user account without authentication. If the invite belongs to an administrator, the attacker gains full administrative access to the FreeScout instance. This compromises confidentiality and integrity of the system but does not affect availability. The CVSS v3.1 score is 9.1 (critical), reflecting the ease of exploitation and high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability has been patched in FreeScout version 1.8.217. Users should upgrade to version 1.8.217 or later to remediate this issue. No other mitigation or temporary workaround is indicated. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix in 1.8.217.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fcdf2dcbff5d86101f12d8
Added to database: 5/7/2026, 6:51:25 PM
Last enriched: 5/7/2026, 7:07:49 PM
Last updated: 5/8/2026, 2:43:50 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.