CVE-2026-41905
Open Redirect Vulnerability in FreeScout Help Desk
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.217 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade FreeScout to version 1.8.217 or later, where the vulnerability has been patched.
Until the upgrade can be applied, restrict or monitor inbound email attachments and URLs that FreeScout processes, especially those that could trigger HTTP requests.
Implement network-level controls to block FreeScout servers from making HTTP requests to internal IP ranges or cloud metadata endpoints.
Review and tighten permissions for modules that allow URL inputs, such as module downloads and customer photo URLs.
Can you explain this vulnerability to me?
CVE-2026-41905 is a Server-Side Request Forgery (SSRF) vulnerability in FreeScout, a help desk software built with PHP's Laravel framework. The issue exists in the Helper::sanitizeRemoteUrl() function, which follows HTTP redirects but incorrectly re-validates the original URL instead of the final redirected URL. This flaw allows an attacker to bypass host restrictions by supplying a URL that passes the initial host check but redirects to internal or restricted HTTP services, such as cloud metadata endpoints or internal APIs that should normally be blocked.
The vulnerability can be exploited through multiple entry points, including customer photo URLs, module download URLs (admin-only), and inbound email attachment processing, with the latter requiring no authentication. An attacker can send an email containing an inline image pointing to a malicious redirector to exploit this flaw.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access internal HTTP services and sensitive internal resources that are normally protected, such as cloud metadata services and internal APIs. This can lead to unauthorized information disclosure, including exfiltration of internal secrets.
Because the vulnerability can be exploited without user interaction and with low privileges, it poses a high risk. Attackers can leverage it to bypass security boundaries of the application and gain access to internal network resources, potentially compromising the confidentiality of sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Server-Side Request Forgery (SSRF) in FreeScout versions prior to 1.8.217, exploitable via URLs that pass initial host checks but redirect to internal HTTP services.
Detection can focus on monitoring HTTP requests made by FreeScout, especially those involving customer photo URLs, module download URLs (admin-only), and inbound email attachments, since these are the entry points.
You can look for unusual outbound HTTP requests from the FreeScout server to internal IP ranges (RFC1918) or cloud metadata endpoints.
Suggested commands include using network monitoring tools or packet capture utilities to filter HTTP requests originating from the FreeScout server.
- Using tcpdump to capture HTTP traffic from the FreeScout server: tcpdump -i <interface> -n host <freescout_server_ip> and port 80 or 443
- Using curl or wget to test URL inputs that might redirect internally, for example: curl -v <suspected_url>
- Checking FreeScout logs for suspicious URL inputs or redirects.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-41905 in FreeScout allows attackers to bypass host restrictions and access internal HTTP services or cloud metadata endpoints that should be blocked. This can lead to unauthorized access to sensitive internal resources and potentially exfiltrate internal secrets.
Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and internal systems from unauthorized access.
However, the provided context does not explicitly mention compliance impacts or specific regulatory considerations.