External risk intelligence

FreeScout account takeover via permanent invite links

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41902

FreeScout allows anyone to take over any account if they obtain a leaked invite link because setup links never expire, potentially leading to full system compromise. This issue is patched in version 1.8.217.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41902

FreeScout is a web-based help desk and shared inbox application. These systems are commonly deployed as internet-facing web applications to manage customer communications and internal support workflows, making their web interfaces and associated endpoints, including user management paths, potentially accessible to external networks.

Horizon Alert

Summary of the vulnerability and why it matters

A security issue in FreeScout allows unauthorized users to take over accounts, even months or years after an invitation was issued. This happens because account setup links do not expire, and sensitive information like these links can leak through various means. If an administrative account is compromised, this could lead to a full system takeover.

Permanently compromise user accounts.
Gain unauthorized access to sensitive support information.
Escalate privileges to administrator level.

Attack Path

How an attacker could exploit the issue

An attacker can take over any FreeScout account if they obtain a leaked user setup hash. The vulnerability allows anyone to set a password for an account using an expired invite hash, enabling account takeover. If the leaked hash belongs to an administrator, the attacker gains full control of the help desk.

Unauthenticated access is required.
Target the user-setup endpoint.
Hash must be leaked.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in FreeScout allows unauthenticated account takeover via indefinitely valid invite hashes, a significant risk for customer-facing help desk systems. Attackers would likely find this appealing due to the potential for full system compromise, especially if an admin account can be taken over. The risk is amplified by common hash leakage vectors like email forwarding or exposed logs.

Exploitation hinges on leaked hashes.
Patch available in version 1.8.217.
KEV listing is not present.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching FreeScout instances to version 1.8.217 to address the indefinite account takeover vulnerability via leaked invite hashes. If immediate patching is not feasible, implement stricter access controls and monitoring for the user-setup endpoint.

Update FreeScout to version 1.8.217.
Monitor for unexpected user creation or password resets.
Restrict access to user-setup endpoints.

Frequently asked questions

What is FreeScout and its primary function?

FreeScout is a free help desk and shared inbox application. It is built using PHP's Laravel framework and is utilized for managing customer communications and internal support workflows.

What type of vulnerability does CVE-2026-41902 represent?

CVE-2026-41902 is a persistent cross-site scripting (XSS) vulnerability, which is a type of weakness allowing an attacker to inject malicious code into a web application that is subsequently executed by other users.

How is the CVE-2026-41902 vulnerability triggered?

Exploitation of this vulnerability requires an attacker to obtain a leaked user setup hash. The application's user-setup endpoint accepts this hash without an expiration check, allowing it to be used indefinitely to set a new password.

What is the relevance of CVE-2026-41902 to user accounts?

This vulnerability enables unauthenticated, permanent account takeover if an attacker obtains a leaked user setup hash. If the compromised account belongs to an administrator, the attacker can gain full administrative control of the help desk system.

What actions should be taken to address the FreeScout vulnerability?

To mitigate the risk posed by CVE-2026-41902, it is recommended to update FreeScout to version 1.8.217, which contains the patch for this issue. Monitoring for unusual user creation or password reset activities is also advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.