CVE-2026-45294
Deferred Deferred - Pending Action
Password Reset User Enumeration in FreeScout

Publication date: 2026-05-29

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-02
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45294
EUVD
EUVD-2026-33441
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freescout freescout 1.8.219
freescout freescout to 1.8.219 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate valid helpdesk agent email addresses without authentication.

With this information, attackers could perform targeted phishing attacks against those agents or use the enumerated emails as a stepping stone for further attacks such as agent impersonation.

Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate valid helpdesk agent email addresses by observing distinct responses from the password reset endpoint. Such information disclosure can facilitate targeted phishing attacks or agent impersonation.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of valid email addresses could be considered a data privacy concern under these regulations, as it involves unauthorized disclosure of personal information.

Therefore, organizations using affected versions of FreeScout may face increased risk of non-compliance with data protection requirements that mandate safeguarding personal data against unauthorized access or disclosure.

Executive Summary

CVE-2026-45294 is a vulnerability in FreeScout Help Desk software versions prior to 1.8.219. It occurs because the password reset endpoint returns different visible responses depending on whether the submitted email address belongs to an existing user account or not.

Specifically, when a password reset request is made, the system shows a success message with a certain CSS class if the email exists, and an error message with a different CSS class if it does not. This difference in responses allows unauthenticated attackers to determine which email addresses are valid helpdesk agent accounts.

Detection Guidance

This vulnerability can be detected by submitting password reset requests with different email addresses and observing the responses. If the responses differ visually or in content depending on whether the email exists in the system, the system is vulnerable to user enumeration.

For example, you can use curl commands to test the password reset endpoint with existing and non-existing email addresses and compare the responses.

If the responses contain different CSS classes or messages indicating success or error depending on the email validity, the vulnerability is present.

Mitigation Strategies

The immediate mitigation steps include upgrading FreeScout to version 1.8.219 or later, where this vulnerability is fixed.

Additionally, ensure that the password reset endpoint returns identical responses regardless of whether the submitted email exists in the system to prevent user enumeration.

Implement rate limiting on the password reset endpoint to reduce the risk of automated enumeration attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart