Cyber Resilience

CVE-2026-40496

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 32.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40496 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Freescout Freescout. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40496 is a high-severity vulnerability in FreeScout, an open-source self-hosted help desk and shared mailbox application. In versions prior to 1.8.213, the attachment download tokens are generated using a weak and predictable formula: MD5(APP_KEY + attachment_id + size). This design flaw allows tokens to be forged because attachment IDs are sequential integers and file sizes fall within a small brute-forceable range, enabling unauthorized access to private attachments.

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no privileges, as indicated by the CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By guessing or enumerating attachment IDs and sizes, the attacker crafts valid tokens to download any private attachment without valid credentials, resulting in high impacts on confidentiality and integrity but no availability disruption. Associated CWEs include CWE-330 (Use of Insufficiently Random Values) and CWE-340 (Generation of Predictable Numbers or Identifiers).

The FreeScout security advisory (GHSA-2783-wxmm-wmwr) and release notes for version 1.8.213 detail the fix implemented via commit dbdf8f2260b43a21818255c70f0b61b9de9cd555, which strengthens token generation to prevent prediction. Security practitioners should upgrade to FreeScout 1.8.213 or later to mitigate the issue, and review exposed instances for potential token forgery attempts.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in…

more

a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated exploitation of a public-facing web application (FreeScout) to access private attachments via predictable token forgery, directly mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27637Same product: Freescout Freescout
CVE-2026-39384Same product: Freescout Freescout
CVE-2026-28289Same product: Freescout Freescout
CVE-2025-58163Same product: Freescout Freescout
CVE-2025-54366Same product: Freescout Freescout
CVE-2026-27636Same product: Freescout Freescout
CVE-2026-40498Same product: Freescout Freescout
CVE-2026-32754Same product: Freescout Freescout
CVE-2026-32752Same product: Freescout Freescout
CVE-2026-40497Same product: Freescout Freescout

Affected Assets

freescout
freescout
≤ 1.8.213

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely flaw remediation through upgrading to FreeScout 1.8.213, which fixes the weak token generation formula.

prevent

Ensures download tokens as authenticators have sufficient strength of mechanism to resist forgery from predictable inputs like sequential attachment IDs and brute-forceable sizes.

prevent

Mandates enforcement of approved authorizations for accessing private attachments, addressing the access bypass enabled by forgeable tokens.

References