CVE-2026-41194 PUBLISHED

FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

Assigner: GitHub_M
Reserved: 18.04.2026 Published: 21.04.2026 Updated: 21.04.2026

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	freescout-help-desk
Product	freescout
Versions	Version < 1.8.215 is affected

References

Problem Types

CWE-352: Cross-Site Request Forgery (CSRF) CWE