CVE-2026-45294
Password Reset User Enumeration in FreeScout
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | 1.8.219 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to enumerate valid helpdesk agent email addresses without authentication.
With this information, attackers could perform targeted phishing attacks against those agents or use the enumerated emails as a stepping stone for further attacks such as agent impersonation.
Can you explain this vulnerability to me?
CVE-2026-45294 is a vulnerability in FreeScout Help Desk software versions prior to 1.8.219. It occurs because the password reset endpoint returns different visible responses depending on whether the submitted email address belongs to an existing user account or not.
Specifically, when a password reset request is made, the system shows a success message with a certain CSS class if the email exists, and an error message with a different CSS class if it does not. This difference in responses allows unauthenticated attackers to determine which email addresses are valid helpdesk agent accounts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by submitting password reset requests with different email addresses and observing the responses. If the responses differ visually or in content depending on whether the email exists in the system, the system is vulnerable to user enumeration.
For example, you can use curl commands to test the password reset endpoint with existing and non-existing email addresses and compare the responses.
- curl -X POST -d '[email protected]' https://your-freescout-instance/password-reset
- curl -X POST -d '[email protected]' https://your-freescout-instance/password-reset
If the responses contain different CSS classes or messages indicating success or error depending on the email validity, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps include upgrading FreeScout to version 1.8.219 or later, where this vulnerability is fixed.
Additionally, ensure that the password reset endpoint returns identical responses regardless of whether the submitted email exists in the system to prevent user enumeration.
Implement rate limiting on the password reset endpoint to reduce the risk of automated enumeration attacks.