CVE-2026-41194

MEDIUM

FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

Title source: cna

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

References (3)

Scores

CVSS v3 5.4
EPSS 0.0001
EPSS Percentile 2.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Details

CWE
CWE-352
Status published
Products (1)
freescout-help-desk/freescout < 1.8.215
Published Apr 21, 2026
Tracked Since Apr 21, 2026