CVE-2026-41194 - Vulnerability Details

- FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

Published: 2026-04-21

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

FreeScout’s mailbox OAuth disconnect is implemented as a GET route that removes stored OAuth metadata and then redirects. Because the endpoint lacks a CSRF token, an attacker can trigger the request cross‑site against a logged‑in mailbox administrator. The result is the mailbox’s OAuth credentials are deleted and the mailbox loses access to its external email service, causing loss of email flow for the help desk.

Affected Systems

The vulnerability exists in freescout-help-desk:freescout versions issued before 1.8.215. Deployments of those releases that expose the GET /mailbox/oauth‑disconnect/{id}/{in_out}/{provider} endpoint are affected. Administrators should verify the running version and upgrade if it is out of date.

Risk and Exploitability

The flaw bears a CVSS score of 5.4, indicating moderate severity. No EPSS score is available and the issue is not listed in CISA’s KEV catalog, so publicly documented exploitation appears low. The attack vector is straightforward: a malicious site can embed a crafted link in a phishing email or malicious webpage that, when activated by an authenticated mailbox administrator, sends the GET request and forces the OAuth disconnect. The exploit requires only an authenticated session and no additional privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

freescout-help-desk

freescout

affected

Version	Status	Constraints
`< 1.8.215`	affected	—

No data.

Vendor Product Confidence Versions

Freescout Helpdesk

Freescout

98%

Version	Status	Scheme	Platform
`[0,1.8.215)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeScout to version 1.8.215 or later to remove the CSRF vulnerability.
If an upgrade cannot occur immediately, block the GET /mailbox/oauth‑disconnect/* endpoint through your web server or reverse proxy to prevent accidental or malicious invocation.
Implement monitoring to detect and alert on OAuth disconnect actions so you can respond quickly if a revoke occurs.

Generated by OpenCVE AI on April 22, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/freescout-help-desk/freescout/commit/eb397efae2086524ba0ee91abb916de8db7a4ac1
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6rvw-fhqx-cfv5

History

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freescout Helpdesk Freescout Helpdesk freescout
Vendors & Products		Freescout Helpdesk Freescout Helpdesk freescout

Tue, 21 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.
Title		FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable
Weaknesses		CWE-352
References		https://github.com/freescout-help-desk/freescout/commit/eb397efae2086524ba0ee91abb916de8db7a4ac1 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215 https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6rvw-fhqx-cfv5
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

Freescout Helpdesk Freescout

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T17:16:50.438Z

Updated: 2026-04-22T13:24:47.019Z

Reserved: 2026-04-18T02:51:52.973Z

Link: CVE-2026-41194

Vulnrichment

Updated: 2026-04-22T13:24:40.243Z

NVD

Status : Deferred

Published: 2026-04-21T18:16:53.400

Modified: 2026-04-22T21:08:48.550

Link: CVE-2026-41194

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object