CVE-2026-41194

🗓️ 21 Apr 2026 17:16:50Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 5 Views🌐 WEB

FreeScout before 1.8.215 allows CSRF via a GET mailbox OAuth disconnect that removes OAuth metadata.

Reporter	Title	Published	Views	Family All 7
CNNVD	FreeScout 跨站请求伪造漏洞	21 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable	21 Apr 202617:16	–	cvelist
EUVD	EUVD-2026-24225	21 Apr 202617:16	–	euvd
NVD	CVE-2026-41194	21 Apr 202618:16	–	nvd
Positive Technologies	PT-2026-34041	21 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-41194	22 Apr 202619:22	–	redhatcve
Vulnrichment	CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable	21 Apr 202617:16	–	vulnrichment

Vulners

Node

freescout-help-desk freescoutRange<1.8.215

[
  {
    "vendor": "freescout-help-desk",
    "product": "freescout",
    "versions": [
      {
        "version": "< 1.8.215",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/freescout-help-desk/freescout/releases/tag/1.8.215
github	www.github.com/freescout-help-desk/freescout/security/advisories/GHSA-6rvw-fhqx-cfv5
github	www.github.com/freescout-help-desk/freescout/commit/eb397efae2086524ba0ee91abb916de8db7a4ac1

Parameter	Position	Path	Description	CWE
id	path	/mailbox/oauth-disconnect/{id}/{in_out}/{provider}	GET route disconnects OAuth metadata and redirects; vulnerable to CSRF since no CSRF token is required.	CWE-352
in_out	path	/mailbox/oauth-disconnect/{id}/{in_out}/{provider}	GET route disconnects OAuth metadata and redirects; vulnerable to CSRF since no CSRF token is required.	CWE-352
provider	path	/mailbox/oauth-disconnect/{id}/{in_out}/{provider}	GET route disconnects OAuth metadata and redirects; vulnerable to CSRF since no CSRF token is required.	CWE-352

22 Apr 2026 21:08Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.15.4

EPSS0.00017

SSVC

CWE-352