CVE-2026-41194
CWE-352Published: April 21, 2026· Updated: Apr 22, 2026
Official Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.
Technical Analysis
CVE-2026-41194 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-352)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-41194 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts