Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.
AnalysisAI
Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.
Technical ContextAI
FreeScout implements mailbox OAuth management via the route /mailbox/oauth-disconnect/{id}/{in_out}/{provider}, which handles credential disconnection for integrated email providers. The vulnerability is a classic CSRF flaw (CWE-352) arising from state-changing operations exposed via GET requests without anti-forgery tokens. OAuth metadata removal is a privileged action that should require POST/PUT with token validation. The affected CPE cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* indicates all versions prior to 1.8.215 are vulnerable.
RemediationAI
Upgrade FreeScout to version 1.8.215 or later, which implements CSRF token validation on the OAuth disconnect endpoint by converting it to a POST route with token protection. The fix is confirmed in commit eb397efae2086524ba0ee91abb916de8db7a4ac1 available at https://github.com/freescout-help-desk/freescout/commit/eb397efae2086524ba0ee91abb916de8db7a4ac1. If immediate patching is impossible, apply defense-in-depth measures: implement Content Security Policy (CSP) headers with frame-ancestors 'none' to limit iframe embedding, configure SameSite=Strict cookies for session tokens to prevent cross-site transmission (side effect: breaks some legitimate cross-origin forms), and educate admins to avoid clicking suspicious links while logged into FreeScout. These compensating controls do not eliminate the vulnerability but significantly raise attacker effort.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24225