← Back
CVE-2026-41902
critical
CVSS 9.1
Vulnerability in laravel (CVE-2026-41902)
Summary
vulnerability in laravel (CVE-2026-41902). Confidential information can be exposed externally. Exploitable via `Referer header`.
AI summary openai / gpt-4o
FreeScout, a system built on the Laravel framework, had a flaw where user invite links never expired, allowing for potential account takeovers if the link leaked, especially for admin accounts. This issue is resolved in the latest version. If your company uses FreeScout, it is recommended to update immediately to protect against unauthorized access.
The /user-setup/{hash} endpoint in FreeScout allowed setting a new user's password using a 60-character invite hash without any expiration check up to version 1.8.216. This flaw permitted unauthorized account takeover if the link leaked. It was fixed in version 1.8.217 by enforcing expiration on invite links. To counteract exploit vectors, setting up expiration for invite links is advisable. Detection can be done by monitoring access to the /login endpoint for unusual activities.
❓ What is the problem
The /user-setup/{hash} endpoint allowed use of a 60-character invite hash without expiration.
📍 Affected scope
FreeScout up to version 1.8.216, patched in 1.8.217.
🔥 Severity
Critical risk of unauthorized account takeover if invite links are leaked.
🔧 How to fix
Upgrade to FreeScout version 1.8.217, which includes expiration checks for invite hashes.
🛡️ Workaround
Set up an expiration for invite links if upgrading is not immediately possible.
🔍 Detection
Monitor /login endpoint for unusual login attempts or access.
Related past incidents Similar incidents extracted from past CVEs
A similar issue in another CMS where API keys did not expire, leading to account takeovers.
A Laravel application had a similar invite link expiration vulnerability.
Another case where leaked invite URLs led to unauthorized access in enterprise systems.
If this happens at your company Expected impact per business scenario
📌 Large enterprise using FreeScout for internal helpdesk
A leaked admin invitation could give unauthorized access to internal systems.
📌 Small business using FreeScout for customer support
Customer data exposure if shared inboxes are accessed by unauthorized persons.
📌 Medium-sized company in tech industry
Potential loss of control over user accounts if employee invitation links are forwarded externally.
Recommended action
Immediately update FreeScout to the latest version and ensure all user invitation links are secure with proper expiration.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'laravel' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `laravel` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `<1.8.217`Step 1 で見つかったバージョンが影響範囲 `<1.8.217` に該当するか照合。本番で稼働中ならインシデント扱い。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。