Permanent Account Takeover Vulnerability in FreeScout Help Desk by FreeScout
CVE-2026-41902

9.1CRITICAL

Key Information:

Vendor: Freescout-help-desk
Status: Freescout
Vendor: CVE Published:; 7 May 2026

🔔 Create Freescout-help-desk Vulnerability Alert

What is CVE-2026-41902?

FreeScout, a free help desk and shared inbox application built on the Laravel PHP framework, contains a significant vulnerability that allows for permanent account takeover. The /user-setup/{hash} endpoint accepts a 60-character random invite_hash without enforcing any expiration. This means that once the invite hash is generated, it remains valid indefinitely. If this hash is leaked—through forwarded emails, external referrer logs, or abandoned invites—attackers can gain unauthorized access to accounts, including those of administrators. The flaw is particularly concerning as it permits access months or even years after the invite was initially issued. This vulnerability has been resolved in version 1.8.217.

Affected Version(s)

freescout < 1.8.217

References

https://github.com/freescout-help-desk/freescout/security...

x_refsource_CONFIRM

https://github.com/freescout-help-desk/freescout/releases...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41902 Data

JSON