CVE-2026-40496
Published: 21 April 2026
Summary
CVE-2026-40496 is a critical-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Freescout Freescout. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely flaw remediation through upgrading to FreeScout 1.8.213, which fixes the weak token generation formula.
Ensures download tokens as authenticators have sufficient strength of mechanism to resist forgery from predictable inputs like sequential attachment IDs and brute-forceable sizes.
Mandates enforcement of approved authorizations for accessing private attachments, addressing the access bypass enabled by forgeable tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated exploitation of a public-facing web application (FreeScout) to access private attachments via predictable token forgery, directly mapping to T1190 Exploit Public-Facing Application.
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in…
more
a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.
Deeper analysisAI
CVE-2026-40496 is a high-severity vulnerability in FreeScout, an open-source self-hosted help desk and shared mailbox application. In versions prior to 1.8.213, the attachment download tokens are generated using a weak and predictable formula: MD5(APP_KEY + attachment_id + size). This design flaw allows tokens to be forged because attachment IDs are sequential integers and file sizes fall within a small brute-forceable range, enabling unauthorized access to private attachments.
An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no privileges, as indicated by the CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By guessing or enumerating attachment IDs and sizes, the attacker crafts valid tokens to download any private attachment without valid credentials, resulting in high impacts on confidentiality and integrity but no availability disruption. Associated CWEs include CWE-330 (Use of Insufficiently Random Values) and CWE-340 (Generation of Predictable Numbers or Identifiers).
The FreeScout security advisory (GHSA-2783-wxmm-wmwr) and release notes for version 1.8.213 detail the fix implemented via commit dbdf8f2260b43a21818255c70f0b61b9de9cd555, which strengthens token generation to prevent prediction. Security practitioners should upgrade to FreeScout 1.8.213 or later to mitigate the issue, and review exposed instances for potential token forgery attempts.
Details
- CWE(s)