Unauthorized Access in FreeScout Help Desk System by Vendor
CVE-2026-40498

8.9HIGH

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40498?

The FreeScout Help Desk system allows unauthenticated attackers to gain access to sensitive diagnostic and system tools, originally intended for administrative use only. Prior to version 1.8.213, the vulnerability exists in the /system/cron endpoint, where a static MD5 hash derived from the APP_KEY is exposed. This exposure can lead to Full Path Disclosure, revealing internal server paths, process identifiers, and opens up opportunities for Resource Exhaustion attacks through automated requests that trigger resource-intensive background tasks without any mitigation. Additionally, this weak point allows the hash to be captured via GET requests, potentially being exposed in server logs, browser caches, and proxy logs, further complicating the security landscape.

Affected Version(s)

freescout < 1.8.213

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/b...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.