FreeScout CVE-2026-41194

EUVD-2026-24225 MEDIUM

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-04-21 GitHub_M

CSRF

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 21, 2026 - 19:01 EUVD

Analysis Generated

Apr 21, 2026 - 18:49 vuln.today

DescriptionNVD

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41194 vulnerability details – vuln.today

Back