Cyber Posture

CVE-2026-27637

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 52.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and…

more

if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 mandates strong generation, protection, expiration, and rotation of authenticators like the static, predictable MD5-based tokens, directly preventing reconstruction and account takeover even if APP_KEY is exposed.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, such as patching FreeScout to version 1.8.206, which fixes the predictable token generation vulnerability.

CM-6 Configuration Settings partial match
prevent

CM-6 enforces secure configuration settings to protect sensitive values like the Laravel APP_KEY from common exposure vectors, blocking a key prerequisite for token reconstruction.

Security SummaryAI

CVE-2026-27637 is a critical authentication vulnerability in FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. In versions prior to 1.8.206, the TokenAuth middleware generates a predictable, static authentication token using an MD5 hash of the concatenation of user_id, created_at, and the application's APP_KEY. This token does not expire or rotate, making it susceptible to reconstruction by attackers who obtain the APP_KEY, a commonly exposed configuration value in Laravel deployments. The issue is classified under CWE-330 (Use of Insufficiently Random Values) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers require only access to the APP_KEY to exploit this vulnerability, enabling them to compute valid authentication tokens for arbitrary users, including administrators, and achieve full account takeover without knowledge of passwords. Exploitation is straightforward over the network with low complexity, no privileges, and no user interaction required. The flaw can be leveraged independently or chained with CVE-2026-27636 for enhanced impact.

FreeScout version 1.8.206 addresses this vulnerability, along with CVE-2026-27636, through changes detailed in the project's GitHub commit 004a8231f6e413af1d4680930b0e2342fd4283f9. Security advisories GHSA-6gcm-v8xf-j9v9 and GHSA-mw88-x7j3-74vc on the FreeScout GitHub repository recommend upgrading to the patched version as the primary mitigation.

Details

CWE(s)
CWE-330

Affected Products

freescout
freescout
≤ 1.8.206

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a critical authentication bypass in a public-facing web application (FreeScout help desk), allowing remote unauthenticated attackers to reconstruct static authentication tokens for arbitrary account takeover using exposed APP_KEY, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References