Platform
php
Component
freescout-help-desk
Fixed in
1.8.216
CVE-2026-41194 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox solution. This flaw allows an attacker to trigger OAuth disconnect actions on behalf of a logged-in mailbox administrator, potentially leading to unauthorized account access and data compromise. The vulnerability impacts versions 1.0.0 through 1.8.214, and a patch is available in version 1.8.215.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized OAuth disconnects. An attacker could craft a malicious link or embed it in a website that, when visited by a logged-in FreeScout mailbox administrator, would silently disconnect their OAuth integration. This could disrupt email flow, prevent access to external services, or potentially expose sensitive data if the OAuth integration grants access to other systems. While the vulnerability doesn't directly lead to remote code execution, the resulting disruption and potential data exposure represent a significant risk, particularly in environments where FreeScout is integrated with critical business applications. The blast radius extends to any user relying on the compromised OAuth integration.
CVE-2026-41194 was published on April 21, 2026. There is no indication of this vulnerability being actively exploited in the wild at this time. No public Proof-of-Concept (PoC) code has been released. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities catalog (KEV) or has an EPSS score assigned, suggesting a low probability of near-term exploitation.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-41194 is to immediately upgrade FreeScout to version 1.8.215 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime restrictions, consider implementing a temporary workaround by restricting access to the /mailbox/oauth-disconnect/{id}/{in_out}/{provider} endpoint. This can be achieved through firewall rules or access control lists, limiting access to trusted administrators only. Additionally, implement strict input validation and output encoding practices throughout the application to prevent future CSRF vulnerabilities. After upgrading, confirm the fix by attempting to trigger an OAuth disconnect action from a different browser session without being logged in to FreeScout; the action should be denied.
Actualice FreeScout a la versión 1.8.215 o superior para mitigar la vulnerabilidad. Esta actualización corrige el problema al implementar un token CSRF en la ruta de desconexión OAuth, previniendo ataques de falsificación de solicitudes entre sitios (CSRF).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41194 is a Cross-Site Request Forgery (CSRF) vulnerability in FreeScout versions 1.0.0 through 1.8.214, allowing attackers to disconnect OAuth integrations.
You are affected if you are running FreeScout versions 1.0.0 through 1.8.214. Upgrade to version 1.8.215 or later to mitigate the vulnerability.
Upgrade FreeScout to version 1.8.215 or later. As a temporary workaround, restrict access to the /mailbox/oauth-disconnect endpoint.
There is currently no evidence of CVE-2026-41194 being actively exploited in the wild, and no public PoCs are available.
Refer to the FreeScout security advisory on their website or GitHub repository for the latest information and updates regarding CVE-2026-41194.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.