CVE-2026-40496 HIGH

CVE-2026-40496: FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force

Vendor Freescout-Help-Desk
Product freescout
Weakness CWE-330 · Insufficient randomness
Published April 21, 2026
Last update April 21, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + size)`. Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated