Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in FreeScout's password reset endpoint. When an email address is submitted, the system returns distinct responses depending on whether the address is associated with an existing user account. This allows an unauthenticated attacker to identify valid user accounts. The primary impact is that attackers can enumerate legitimate user addresses, paving the way for targeted phishing or credential‑guessing campaigns.

Affected Systems

The flaw affects deployments of the freescout-help-desk:freescout product running any version prior to 1.8.219. Versions 1.8.219 and later include the patch that ensures the password reset response is indistinguishable for valid and invalid email addresses.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, so the exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and unauthenticated, using the publicly accessible password reset endpoint. An attacker who submits arbitrary email addresses can construct a list of valid user accounts, thereby increasing the attack surface for subsequent phishing or credential‑based attacks.

Generated by OpenCVE AI on May 29, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.219 or later, where the password reset response is normalized.
  • Configure the password reset endpoint to return a generic, indistinguishable response for all email submissions if an upgrade is not immediately possible.
  • Implement rate limiting or CAPTCHA on password reset requests to limit repeated enumeration attempts.

Generated by OpenCVE AI on May 29, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
Title FreeScout: User Account Enumeration via Password Reset Response Differentiation
Weaknesses CWE-203
CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:52:22.535Z

Reserved: 2026-05-11T20:14:43.201Z

Link: CVE-2026-45294

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:25.833

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-45294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses