CVE-2026-41902
CRITICALFreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks
Title source: cnaDescription
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm
X_Refsource_Misc x_refsource_misc
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217
Scores
CVSS v3
9.1
EPSS
0.0025
EPSS Percentile
15.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (1)
freescout-help-desk/freescout
< 1.8.217
Published
May 07, 2026
Tracked Since
May 08, 2026