CVE-2026-27637

{"id": "CVE-2026-27637", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-02-25T04:16:04.110", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/004a8231f6e413af1d4680930b0e2342fd4283f9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc", "tags": ["Not Applicable"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-330"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and if an attacker obtains the `APP_KEY` \u2014 a well-documented and common exposure vector in Laravel applications \u2014 they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia t\u00e9cnica gratuito y un buz\u00f3n compartido creado con el marco Laravel de PHP. Antes de la versi\u00f3n 1.8.206, el middleware 'TokenAuth' de FreeScout utiliza un token de autenticaci\u00f3n predecible calculado como 'MD5(user_id + created_at + APP_KEY)'. Este token es est\u00e1tico (nunca expira/rota), y si un atacante obtiene la 'APP_KEY' \u2014 un vector de exposici\u00f3n bien documentado y com\u00fan en aplicaciones Laravel \u2014 pueden calcular un token v\u00e1lido para cualquier usuario, incluido el administrador, logrando una toma de control total de la cuenta sin ninguna contrase\u00f1a. Esta vulnerabilidad puede ser explotada por s\u00ed misma o en combinaci\u00f3n con CVE-2026-27636. La versi\u00f3n 1.8.206 corrige ambas vulnerabilidades."}], "lastModified": "2026-02-26T16:08:44.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79CA8F5D-FF18-4F10-A6AF-3DBED9542088", "versionEndExcluding": "1.8.206"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}