CVE-2026-41194 MEDIUM

CVE-2026-41194: FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

Vendor Freescout-Help-Desk
Product freescout
Weakness CWE-352 · CSRF
Published April 21, 2026
Last update April 22, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-45823 WordPress Video Contest WordPress Plugin Plugin <= 3.2 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2026-1398 Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update CVE-2021-3993 Cross-Site Request Forgery (CSRF) in star7th/showdoc CVE-2024-2970 News Wall <= 1.1.0 - Cross-Site Request Forgery to Plugin Settings Update CVE-2024-31378 WordPress MailChimp Forms by MailMunch plugin <= 3.2.1 - Cross Site Request Forgery (CSRF) vulnerability