Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

INFO

Published Date :

2026-04-21T17:16:50.438Z

Last Modified :

2026-04-22T13:24:47.019Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41194 vulnerability.

Vendors Products
Freescout Helpdesk
  • Freescout
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41194.

URL Resource
https://github.com/freescout-help-desk/freescout/commit/eb397efae2086524ba0ee91abb916de8db7a4ac1 cve-icon cve-icon
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215 cve-icon cve-icon
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6rvw-fhqx-cfv5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact