CVE-2026-41902

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.217

Description The '/user-setup/{hash}' endpoint accepts a 60-character random invite hash to set a new user's password but does not perform an expiration check, allowing the hash to remain valid indefinitely until used. This can lead to unauthenticated permanent account takeover if the hash is leaked through forwarded emails, HTTP referrers to external CDNs, server-side logs, or abandoned emails in shared inboxes. If the leaked invite was intended for an administrator, the attacker can gain administrative access.

Recommendations Update to version 1.8.217.