Predictable authentication tokens in FreeScout allow attackers to perform full account takeovers, potentially compromising all help desk communications and administrative controls.

The TokenAuth middleware uses a predictable MD5 hash of the user ID, creation timestamp, and the APP_KEY. If an attacker obtains the APP_KEY, they can generate valid, non-expiring tokens for any user account without needing a password.

Full account takeover of an administrator allows an attacker to read all private communications, delete data, and modify system settings. The CVSS score of 9.8 indicates a critical risk, especially given how frequently Laravel APP_KEY values are accidentally exposed in logs or environment files.

Immediate Action: Upgrade FreeScout to version 1.8.206. After upgrading, it is highly recommended to rotate the Laravel APP_KEY to invalidate any potentially compromised tokens.

Proactive Monitoring: Inspect logs for suspicious logins using API tokens and verify the security of the .env file and other configuration backups.

Compensating Controls: Ensure that environment files are not accessible via the web and implement multi-factor authentication (MFA) where supported to provide an additional layer of security.

Public Exploit Available: No

The reliance on a predictable hash for authentication is a severe architectural flaw. Organizations must update FreeScout immediately and treat their APP_KEY as a high-value secret that requires immediate rotation if exposure is suspected.