Skip to main content

FreeScout EUVDEUVD-2026-24225

| CVE-2026-41194 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-21 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:08 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:49 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:45 euvd
EUVD-2026-24225
Analysis Generated
Apr 21, 2026 - 17:45 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.

Technical ContextAI

FreeScout implements mailbox OAuth management via the route /mailbox/oauth-disconnect/{id}/{in_out}/{provider}, which handles credential disconnection for integrated email providers. The vulnerability is a classic CSRF flaw (CWE-352) arising from state-changing operations exposed via GET requests without anti-forgery tokens. OAuth metadata removal is a privileged action that should require POST/PUT with token validation. The affected CPE cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* indicates all versions prior to 1.8.215 are vulnerable.

RemediationAI

Upgrade FreeScout to version 1.8.215 or later, which implements CSRF token validation on the OAuth disconnect endpoint by converting it to a POST route with token protection. The fix is confirmed in commit eb397efae2086524ba0ee91abb916de8db7a4ac1 available at https://github.com/freescout-help-desk/freescout/commit/eb397efae2086524ba0ee91abb916de8db7a4ac1. If immediate patching is impossible, apply defense-in-depth measures: implement Content Security Policy (CSP) headers with frame-ancestors 'none' to limit iframe embedding, configure SameSite=Strict cookies for session tokens to prevent cross-site transmission (side effect: breaks some legitimate cross-origin forms), and educate admins to avoid clicking suspicious links while logged into FreeScout. These compensating controls do not eliminate the vulnerability but significantly raise attacker effort.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

EUVD-2026-24225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy