Impact Analysis

This vulnerability can impact you by allowing an attacker to disrupt your mailbox's OAuth connections without your consent. Specifically, an attacker can cause the removal of stored OAuth metadata, which disables inbound mail fetching and outbound OAuth mail delivery for the affected mailbox.

The impact includes a low integrity and availability impact, meaning that while no confidential data is exposed, the attacker can interfere with mail services, potentially causing mail delivery failures or interruptions.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41194 is a Cross-Site Request Forgery (CSRF) vulnerability in FreeScout, a self-hosted help desk software. The vulnerability exists in the mailbox OAuth disconnect functionality, which is implemented as a GET request at the endpoint /mailbox/oauth-disconnect/{id}/{in_out}/{provider}. Because this action removes stored OAuth metadata without requiring a CSRF token, an attacker can trick a logged-in mailbox administrator into triggering this request by visiting a malicious webpage. This causes the OAuth credentials to be disconnected without the admin's consent.

The vulnerability was fixed in version 1.8.215 by adding CSRF token verification to the OAuth disconnect action, ensuring that only authorized requests can perform this operation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your FreeScout installation is running a version prior to 1.8.215 and if the OAuth disconnect endpoint is accessible via a GET request without CSRF token verification.

You can verify the presence of OAuth metadata in the mailbox database and test if the GET request to the endpoint `/mailbox/oauth-disconnect/{id}/{in_out}/{provider}` removes this metadata without requiring a CSRF token.

Example commands to detect the vulnerability include:

• Use a PostgreSQL command to check for OAuth metadata in a mailbox, e.g., querying mailbox ID 39 for OAuth tokens.
• Use curl to authenticate as an admin and capture CSRF tokens.
• Send an authenticated GET request to `/mailbox/oauth-disconnect/39/in/google` and verify if the OAuth metadata is removed.

Additionally, you can look for suspicious GET requests to the OAuth disconnect endpoint in your web server or application logs.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.215 or later, where the vulnerability is fixed by adding CSRF token verification to the OAuth disconnect endpoint.

If upgrading immediately is not possible, consider restricting access to the OAuth disconnect endpoint to trusted users only and avoid exposing it publicly.

Monitor and audit logs for unauthorized GET requests to the `/mailbox/oauth-disconnect` endpoint to detect potential exploitation attempts.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41194 is a Cross-Site Request Forgery (CSRF) vulnerability in FreeScout, a self-hosted help desk software. The vulnerability exists in the mailbox OAuth disconnect functionality, which is implemented as a GET request at the endpoint /mailbox/oauth-disconnect/{id}/{in_out}/{provider}. Because this is a GET route, it does not require a CSRF token, allowing an attacker to trick a logged-in mailbox administrator into triggering the OAuth disconnect action without their consent.

This action removes stored OAuth metadata from the mailbox, effectively disconnecting OAuth credentials. The vulnerability allows unauthorized requests to disconnect OAuth connections by exploiting the lack of CSRF protection on a state-changing GET request.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to disrupt your mailbox's OAuth connections without your permission. Specifically, an attacker can cause the OAuth credentials for your mailbox to be disconnected, which can interrupt inbound mail fetching and outbound OAuth mail delivery.

The impact includes a low integrity and availability impact, meaning the attacker can modify OAuth metadata and cause temporary disruption of mail services. The attacker does not need special privileges but requires the victim to be logged in and visit a malicious webpage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your FreeScout installation is running a version prior to 1.8.215 and if the OAuth disconnect endpoint is accessible via a GET request without CSRF token verification.

You can verify the presence of OAuth metadata in the mailbox database and test if the GET request to the disconnect endpoint removes this metadata without requiring a CSRF token.

Example commands from the advisory include:

• Use a PostgreSQL command to insert dummy OAuth tokens into mailbox ID 39 to simulate OAuth metadata.
• Use curl commands to log in as an admin, capturing and using CSRF tokens for authentication.
• Trigger the OAuth disconnect via an authenticated GET request, for example: `curl -X GET http://your-freescout-instance/mailbox/oauth-disconnect/39/in/google`.

If the OAuth metadata is removed after this GET request without requiring a CSRF token, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.215 or later, where the vulnerability is fixed by adding CSRF token verification to the OAuth disconnect action.

If upgrading is not immediately possible, restrict access to the OAuth disconnect endpoint to trusted users only and avoid clicking on untrusted links that could trigger the GET request.

Additionally, monitor and audit OAuth metadata changes to detect unauthorized disconnects.

Useful 0 Not Useful 0