CVE-2026-27637
Published: 25 February 2026
Summary
CVE-2026-27637 is a critical-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Freescout Freescout. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates strong generation, protection, expiration, and rotation of authenticators like the static, predictable MD5-based tokens, directly preventing reconstruction and account takeover even if APP_KEY is exposed.
SI-2 requires timely flaw remediation, such as patching FreeScout to version 1.8.206, which fixes the predictable token generation vulnerability.
CM-6 enforces secure configuration settings to protect sensitive values like the Laravel APP_KEY from common exposure vectors, blocking a key prerequisite for token reconstruction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a critical authentication bypass in a public-facing web application (FreeScout help desk), allowing remote unauthenticated attackers to reconstruct static authentication tokens for arbitrary account takeover using exposed APP_KEY, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5(user_id + created_at + APP_KEY)`. This token is static (never expires/rotates), and…
more
if an attacker obtains the `APP_KEY` — a well-documented and common exposure vector in Laravel applications — they can compute a valid token for any user, including the administrator, achieving full account takeover without any password. This vulnerability can be exploited on its own or in combination with CVE-2026-27636. Version 1.8.206 fixes both vulnerabilities.
Deeper analysisAI
CVE-2026-27637 is a critical authentication vulnerability in FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. In versions prior to 1.8.206, the TokenAuth middleware generates a predictable, static authentication token using an MD5 hash of the concatenation of user_id, created_at, and the application's APP_KEY. This token does not expire or rotate, making it susceptible to reconstruction by attackers who obtain the APP_KEY, a commonly exposed configuration value in Laravel deployments. The issue is classified under CWE-330 (Use of Insufficiently Random Values) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers require only access to the APP_KEY to exploit this vulnerability, enabling them to compute valid authentication tokens for arbitrary users, including administrators, and achieve full account takeover without knowledge of passwords. Exploitation is straightforward over the network with low complexity, no privileges, and no user interaction required. The flaw can be leveraged independently or chained with CVE-2026-27636 for enhanced impact.
FreeScout version 1.8.206 addresses this vulnerability, along with CVE-2026-27636, through changes detailed in the project's GitHub commit 004a8231f6e413af1d4680930b0e2342fd4283f9. Security advisories GHSA-6gcm-v8xf-j9v9 and GHSA-mw88-x7j3-74vc on the FreeScout GitHub repository recommend upgrading to the patched version as the primary mitigation.
Details
- CWE(s)