CVE-2026-41902: FreeScout Invite Hash Vulnerability Allows Permanent Account Takeover
The National Vulnerability Database has detailed CVE-2026-41902, a critical vulnerability in FreeScout, a PHP-based help desk and shared inbox system. Versions prior to 1.8.217 suffer from an insecure user setup endpoint, /user-setup/{hash}. This endpoint accepts a 60-character invite hash for setting a new user’s password but crucially lacks any expiration check. This means a leaked invite hash remains valid indefinitely, creating a permanent backdoor.
Attackers can exploit realistic hash leakage scenarios, such as forwarded invite emails, exposed HTTP referrers, server logs, or even abandoned emails in shared inboxes. This allows for unauthenticated account takeover months or even years after the initial invite was issued. If the compromised invite was for an administrator, the attacker gains full administrative control over the FreeScout instance.
This vulnerability, rated CVSS 9.1, has been patched in FreeScout version 1.8.217. Defenders using FreeScout must upgrade immediately to prevent potential long-term compromise. Organizations should also review their incident response plans for handling long-lived leaked credentials.
What This Means For You
- If your organization uses FreeScout, patch to version 1.8.217 immediately. Audit your system for any unauthorized user accounts created recently. Review logs for suspicious invite hash usage or password reset attempts that may have gone unnoticed.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41902: FreeScout Indefinite Invite Hash Account Takeover
title: CVE-2026-41902: FreeScout Indefinite Invite Hash Account Takeover
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
Detects access to the FreeScout /user-setup/{hash} endpoint without an expiration check. This is the primary vulnerability vector for CVE-2026-41902, allowing unauthenticated account takeover via a leaked, long-lived invite hash.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41902/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|startswith:
- '/user-setup/'
cs-uri-query|startswith:
- ''
sc-status:
- 200
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41902 | Auth Bypass | FreeScout < 1.8.217 |
| CVE-2026-41902 | Auth Bypass | FreeScout /user-setup/{hash} endpoint |
| CVE-2026-41902 | Auth Bypass | Permanent account takeover via invite_hash |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0
CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...
CVE-2026-8097 — CodeAstro Online Classroom SQL Injection
CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...
CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks
CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...