CVE-2026-27637

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.206

Description FreeScout’s TokenAuth middleware generates authentication tokens using a predictable method: MD5(user id + created at + APP KEY). These tokens are static and do not expire or rotate. If an attacker obtains the APP KEY – a common exposure vector in Laravel applications – they can compute a valid token for any user, including the administrator, leading to full account takeover without requiring a password. The user id and created at are components used in the token generation.

Recommendations Upgrade to FreeScout version 1.8.206 or later.