FreeScout Token Authentication Vulnerability Allows Full Account Takeover

A vulnerability in FreeScout's TokenAuth middleware prior to version 1.8.206 allows for predictable authentication tokens to be generated. These tokens, calculated using an MD5 hash of the user ID, creation timestamp, and application key, are static and never expire. If an attacker gains access to the APP_KEY, they can create a valid token for any user, including administrators, leading to unauthorized account access. This vulnerability can be exploited independently or alongside another vulnerability, CVE-2026-27636.

Impact

Exploitation of this vulnerability allows for full account takeover of any FreeScout user, including administrators. An attacker would gain access to all helpdesk conversations and customer data, the ability to modify system settings and create new admin accounts, and potentially compromise the server through admin functionalities.

Reproduction

To reproduce this vulnerability, an attacker must first obtain the APP_KEY from a vulnerable FreeScout instance. Once the APP_KEY is acquired, the attacker can compute a valid authentication token for the admin user by concatenating the user ID, admin's account creation timestamp, and the APP_KEY, then hashing the result with MD5. After generating the token, the attacker can authenticate as the admin by sending a request with the token included, along with the 'in_app' cookie set to '1'.

Remediation

Users can update to FreeScout version 1.8.206 or later, which addresses this vulnerability.