CVE-2026-45294 PUBLISHED

FreeScout: User Account Enumeration via Password Reset Response Differentiation

Assigner: GitHub_M
Reserved: 11.05.2026 Published: 29.05.2026 Updated: 29.05.2026

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	freescout-help-desk
Product	freescout
Versions	Version < 1.8.219 is affected

References

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855

Problem Types

CWE-203: Observable Discrepancy CWE
CWE-204: Observable Response Discrepancy CWE