FreeScout unauth takeover via expired invites (CVE-2026-41902)

Patch now - CVE-2026-41902 is a critical unauthenticated account takeover in FreeScout prior to version 1.8.217 that lets attackers hijack any user account whose invitation hash was ever leaked. Patched in 1.8.217 - update immediately.

Overview

CVE-2026-41902 affects the /user-setup/{hash} endpoint in FreeScout, an open-source help desk built on Laravel. This endpoint accepts a 60-character random invite_hash to set a new user’s password. The vulnerability arises because the endpoint performs no expiration check on the invite hash - it remains valid indefinitely until consumed.

An attacker who obtains a leaked invite hash can use it to set a new password for that user account at any time, months or years after the invitation was originally sent. Realistic leak scenarios include forwarded invite emails, HTTP referrer headers sent to external CDNs when the setup page loads, server-side log exposure, and abandoned invite emails sitting in shared inboxes.

Impact

The impact ranges from standard account takeover to full admin compromise. If the leaked invitation was sent to an admin or help desk operator, the attacker gains admin-level access to the help desk, including the ability to read all tickets, access customer data, modify system settings, and create or delete accounts. The CVSS score of 9.1 (CRITICAL) reflects the low attack complexity, no privileges required, and no user interaction needed to exploit a leaked hash.

Affected Versions

FreeScout versions prior to 1.8.217 are affected. Version 1.8.217 contains the fix.

Remediation

Upgrade immediately to FreeScout version 1.8.217 or later. This is the only complete fix.

While upgrading, organizations should also:

• Revoke and reissue all outstanding invitation hashes immediately after upgrading.
• Audit recent account creations for unauthorized password resets conducted via the /user-setup/ endpoint.
• Review server logs, email archives, and shared mailboxes for any leaked invite hashes.

Security Insight

This vulnerability represents a systemic design failure: treating an invitation link as a one-factor authentication credential while providing no means to expire it. Help desk software often carries high-value customer data, making any authentication weakness particularly dangerous. Unlike session tokens, invitation hashes have no inherent time-to-live, meaning a compromise that seemed minor at the time (a forwarded email, a log file retained for compliance) can lead to full compromise years later. This incident mirrors similar vulnerabilities in password reset tokens found in other Laravel-based applications and underscores the need for time-bounded authentication flows in all user-facing web applications.

Related reading: iOS Bug Let FBI Recover Deleted Signal Messages, LangChain, LangGraph Flaws Expose Files, Secrets,, Apple Fixes WebKit Vulnerability Enabling Same-Origin

Further Reading

• iOS Bug Let FBI Recover Deleted Signal Messages
• LangChain, LangGraph Flaws Expose Files, Secrets,
• Apple Fixes WebKit Vulnerability Enabling Same-Origin
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs