FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File...

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.

AI Analysis

Unauthenticated attackers can download private attachments due to predictable attachment tokens

Basic Information

ID CVE-2026-40496

Source GitHub_M

Published Apr 21, 2026 at 01:38

Affected Product

Vendor freescout-help-desk

Product freescout

Version < 1.8.213

Affected Versions freescout-help-desk freescout < 1.8.213

CWE Classification

CWE-330 CWE-340

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor FreeScout

Product FreeScout Help Desk

Version < 1.8.213

References

{
    "lastseen": "",
    "description": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.",
    "published": "2026-04-21T01:38:50.117Z",
    "modified": "2026-04-21T01:38:50.117Z",
    "type": "cve",
    "title": "FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force",
    "source": "GitHub_M",
    "references": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr\nhttps://github.com/freescout-help-desk/freescout/commit/dbdf8f2260b43a21818255c70f0b61b9de9cd555\nhttps://github.com/freescout-help-desk/freescout/releases/tag/1.8.213",
    "id": "CVE-2026-40496",
    "bulletinFamily": "",
    "cwe": [
        "CWE-330",
        "CWE-340"
    ],
    "cvelist": null,
    "sourceData": "freescout-help-desk freescout < 1.8.213",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "freescout",
    "version": "< 1.8.213",
    "vendor": "freescout-help-desk",
    "ai_description": "Unauthenticated attackers can download private attachments due to predictable attachment tokens",
    "ai_severity": "High",
    "ai_vendor": "FreeScout",
    "ai_product": "FreeScout Help Desk",
    "ai_version": "< 1.8.213",
    "ai_score": 8.8
}

FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force_CVE-2026-40496