CVE-2026-40498
Published: 21 April 2026
Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from…
more
the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly preventing unauthenticated access to restricted diagnostic and system tools like the /system/cron endpoint.
Protects against denial-of-service events such as resource exhaustion from repeated invocations of heavy background tasks without rate limiting.
Manages authenticators securely, addressing the weak static MD5 hash derived from APP_KEY that is exposed in responses, logs, and GET requests, mitigating brute-force and disclosure risks.
Security SummaryAI
CVE-2026-40498 is a vulnerability in FreeScout, a free self-hosted help desk and shared mailbox application, affecting versions prior to 1.8.213. It stems from improper access controls on the /system/cron endpoint, which relies on a static MD5 hash generated as md5(APP_KEY . 'web_cron_hash') for authentication. This allows unauthenticated access to diagnostic and system tools intended only for administrators, exposing the hash itself in responses and logs, as well as sensitive server details such as full path disclosure and process IDs. The absence of rate limiting further enables resource exhaustion through repeated invocation of heavy background tasks.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation reveals confidential information (CWE-200), bypasses access restrictions (CWE-284), and depletes server resources without limits (CWE-770). The hash's transmission via GET requests heightens risks from exposure in server logs, browser history, proxy logs, and potential brute-force attacks.
FreeScout version 1.8.213 addresses the issue with a fix detailed in the project's GitHub commit (b1d6c2c601a6ec3626ab13e679607b5084dfbd38), release notes (tag 1.8.213), and security advisory (GHSA-5jw5-q9j7-4rxc), which recommend upgrading immediately to mitigate unauthorized access and DoS risks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web application enables unauthenticated remote exploitation for access to admin tools (info disclosure) and resource exhaustion via repeated heavy task invocation.