CVE-2026-45294
Deferred Deferred - Pending Action

Password Reset User Enumeration in FreeScout

Vulnerability report for CVE-2026-45294, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-29

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-29
Last Modified
2026-06-02
Generated
2026-07-09
AI Q&A
2026-05-30
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
freescout freescout 1.8.219
freescout freescout to 1.8.219 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate valid helpdesk agent email addresses by observing distinct responses from the password reset endpoint. Such information disclosure can facilitate targeted phishing attacks or agent impersonation.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of valid email addresses could be considered a data privacy concern under these regulations, as it involves unauthorized disclosure of personal information.

Therefore, organizations using affected versions of FreeScout may face increased risk of non-compliance with data protection requirements that mandate safeguarding personal data against unauthorized access or disclosure.

Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate valid helpdesk agent email addresses without authentication.

With this information, attackers could perform targeted phishing attacks against those agents or use the enumerated emails as a stepping stone for further attacks such as agent impersonation.

Executive Summary

CVE-2026-45294 is a vulnerability in FreeScout Help Desk software versions prior to 1.8.219. It occurs because the password reset endpoint returns different visible responses depending on whether the submitted email address belongs to an existing user account or not.

Specifically, when a password reset request is made, the system shows a success message with a certain CSS class if the email exists, and an error message with a different CSS class if it does not. This difference in responses allows unauthenticated attackers to determine which email addresses are valid helpdesk agent accounts.

Detection Guidance

This vulnerability can be detected by submitting password reset requests with different email addresses and observing the responses. If the responses differ visually or in content depending on whether the email exists in the system, the system is vulnerable to user enumeration.

For example, you can use curl commands to test the password reset endpoint with existing and non-existing email addresses and compare the responses.

If the responses contain different CSS classes or messages indicating success or error depending on the email validity, the vulnerability is present.

Mitigation Strategies

The immediate mitigation steps include upgrading FreeScout to version 1.8.219 or later, where this vulnerability is fixed.

Additionally, ensure that the password reset endpoint returns identical responses regardless of whether the submitted email exists in the system to prevent user enumeration.

Implement rate limiting on the password reset endpoint to reduce the risk of automated enumeration attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart