CVE-2026-27636
📋 TL;DR
This vulnerability allows authenticated users to upload .htaccess or .user.ini files to FreeScout help desk systems, enabling remote code execution on Apache servers with AllowOverride All configuration. It affects FreeScout installations prior to version 1.8.206. The vulnerability can be exploited alone or combined with CVE-2026-27637 for greater impact.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary code, access sensitive data, and pivot to other systems.
Likely Case
Unauthorized file upload leading to web shell deployment and limited server access.
If Mitigated
File upload blocked or restricted to safe extensions, preventing exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.206
Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
Restart Required: No
Instructions:
1. Backup your FreeScout installation and database. 2. Download version 1.8.206 from the official repository. 3. Replace the existing installation with the patched version. 4. Verify the patch by checking the Helper.php file includes .htaccess and .user.ini in restricted extensions.
🔧 Temporary Workarounds
Restrict Apache AllowOverride
linuxChange Apache configuration to restrict .htaccess file processing
# In Apache configuration or .htaccess: AllowOverride None
Web Server File Upload Block
linuxConfigure web server to block .htaccess and .user.ini uploads
# In Apache configuration: <FilesMatch "^\.(htaccess|user\.ini)$">
Require all denied
</FilesMatch>
🧯 If You Can't Patch
- Implement strict file upload validation at application level to block .htaccess and .user.ini files
- Monitor file upload directories for suspicious .htaccess or .user.ini files and implement real-time alerting
🔍 How to Verify
Check if Vulnerable:
Check if FreeScout version is below 1.8.206 and review app/Misc/Helper.php for missing .htaccess/.user.ini in restricted extensions list.Check Version:
php artisan --versionVerify Fix Applied:
Verify FreeScout version is 1.8.206 or higher and confirm .htaccess and .user.ini are in the restricted extensions array in Helper.php.📡 Detection & Monitoring
Log Indicators:
- Unexpected .htaccess or .user.ini file uploads in application logs
- Apache error logs showing unusual .htaccess processing
Network Indicators:
- Unusual POST requests to file upload endpoints with .htaccess/.user.ini files
SIEM Query:
source="apache_access" AND (uri="/conversations/upload" OR uri="/attachments/upload") AND (user_agent="*.htaccess*" OR user_agent="*.user.ini*")🔗 References
- https://github.com/freescout-help-desk/freescout/commit/9984071e6f1b4e633fdcffcea82bbebc9c1e009c
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc
