プラットフォーム
php
コンポーネント
freescout-help-desk
修正版
1.8.216
CVE-2026-41194 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox solution. This flaw allows an attacker to trigger OAuth disconnect actions on behalf of a logged-in mailbox administrator, potentially leading to unauthorized account access and data compromise. The vulnerability impacts versions 1.0.0 through 1.8.214, and a patch is available in version 1.8.215.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized OAuth disconnects. An attacker could craft a malicious link or embed it in a website that, when visited by a logged-in FreeScout mailbox administrator, would silently disconnect their OAuth integration. This could disrupt email flow, prevent access to external services, or potentially expose sensitive data if the OAuth integration grants access to other systems. While the vulnerability doesn't directly lead to remote code execution, the resulting disruption and potential data exposure represent a significant risk, particularly in environments where FreeScout is integrated with critical business applications. The blast radius extends to any user relying on the compromised OAuth integration.
CVE-2026-41194 was published on April 21, 2026. There is no indication of this vulnerability being actively exploited in the wild at this time. No public Proof-of-Concept (PoC) code has been released. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities catalog (KEV) or has an EPSS score assigned, suggesting a low probability of near-term exploitation.
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2026-41194 is to immediately upgrade FreeScout to version 1.8.215 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime restrictions, consider implementing a temporary workaround by restricting access to the /mailbox/oauth-disconnect/{id}/{in_out}/{provider} endpoint. This can be achieved through firewall rules or access control lists, limiting access to trusted administrators only. Additionally, implement strict input validation and output encoding practices throughout the application to prevent future CSRF vulnerabilities. After upgrading, confirm the fix by attempting to trigger an OAuth disconnect action from a different browser session without being logged in to FreeScout; the action should be denied.
FreeScoutをバージョン1.8.215以降にアップデートして、脆弱性を軽減してください。このアップデートは、OAuth切断パスにCSRFトークンを実装することで問題を修正し、クロスサイトリクエストフォージェリ (CSRF) 攻撃を防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-41194 is a Cross-Site Request Forgery (CSRF) vulnerability in FreeScout versions 1.0.0 through 1.8.214, allowing attackers to disconnect OAuth integrations.
You are affected if you are running FreeScout versions 1.0.0 through 1.8.214. Upgrade to version 1.8.215 or later to mitigate the vulnerability.
Upgrade FreeScout to version 1.8.215 or later. As a temporary workaround, restrict access to the /mailbox/oauth-disconnect endpoint.
There is currently no evidence of CVE-2026-41194 being actively exploited in the wild, and no public PoCs are available.
Refer to the FreeScout security advisory on their website or GitHub repository for the latest information and updates regarding CVE-2026-41194.