What is CVE-2026-27637?

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5...

How severe is CVE-2026-27637?

CVE-2026-27637 is rated critical severity with a CVSS score of 9.8 out of 10.

What products are affected by CVE-2026-27637?

CVE-2026-27637 affects PHP, Laravel. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-27637?

The vendor has published a patch — see the "Vendor Patch" link in the references section. If you cannot patch immediately, review mitigation guidance in this advisory and monitor for exploitation attempts.

CVE-2026-27637: Php

Overview

A critical authentication bypass vulnerability has been identified in FreeScout, a popular open-source help desk application. This flaw allows an attacker to forge valid login tokens for any user, including administrators, leading to a complete system compromise.

Vulnerability Details

In affected versions, FreeScout uses a predictable and static method for generating user authentication tokens. The token is created by calculating an MD5 hash of a simple combination: the user’s ID, their account creation timestamp, and the application’s secret APP_KEY.

The core issues are:

Predictable Generation: The formula is simple and deterministic.
No Expiry or Rotation: Once created, a token is valid forever.
Single Point of Failure: If the APP_KEY is exposed, all user tokens can be forged.

Since the APP_KEY is a common exposure vector in Laravel applications (often leaked in public repositories or misconfigured environments), an attacker who obtains it can easily calculate a working login token for any user account without needing a password.

Impact

The impact of this vulnerability is severe (CVSS Score: 9.8 - CRITICAL). A successful exploit results in:

Full Account Takeover: Attackers can log in as any user, including administrators with full system control.
Data Breach: Unauthorized access to all help desk tickets, customer communications, and sensitive internal data.
Further System Compromise: Administrative access can be used to deploy malware, create backdoors, or attack connected systems. This vulnerability may also be chained with other flaws (like CVE-2026-27636) for increased effect.

Remediation and Mitigation

Immediate action is required to secure affected installations.

Primary Fix:

Upgrade Immediately: All users must upgrade to FreeScout version 1.8.206 or later, which contains the security patch for this vulnerability. This update addresses the flawed token generation mechanism.

Immediate Mitigation Steps (If Upgrade is Delayed):

Audit for APP_KEY Exposure: Immediately check for any accidental public exposure of your .env file or APP_KEY in code repositories, backups, or server logs.
Rotate the APP_KEY: If any exposure is suspected, generate a new APP_KEY. Warning: This will invalidate all existing user sessions and some encrypted data; ensure you follow the official Laravel and FreeScout procedures for key rotation.
Monitor for Suspicious Activity: Review application and server logs for any unauthorized login attempts or access from unfamiliar locations.

General Best Practice:

Never commit .env files or any files containing secrets to version control.
Restrict access to application configuration files and directories on your server.
Maintain a regular schedule for applying security updates to all software components.

CVE-2026-27637: Php

Overview

Vulnerability Details

Impact

Remediation and Mitigation

Never miss a critical vulnerability

Related Advisories

Other PHP Vulnerabilities

Overview

Vulnerability Details

Impact

Remediation and Mitigation

Never miss a critical vulnerability

Related Advisories

Other PHP Vulnerabilities

Never Miss a Critical Alert