CVE-2026-41194 Overview
CVE-2026-41194 is a Cross-Site Request Forgery (CSRF) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox application. The vulnerability exists in the mailbox OAuth disconnect functionality, which is implemented as a GET endpoint without CSRF token protection. This design flaw allows attackers to craft malicious links that, when clicked by an authenticated mailbox administrator, will disconnect OAuth integrations without proper authorization verification.
Critical Impact
An attacker can trick a logged-in mailbox administrator into clicking a malicious link, resulting in the disconnection of OAuth integrations and removal of stored OAuth metadata from mailboxes, potentially disrupting email service functionality.
Affected Products
- FreeScout versions prior to 1.8.215
- Self-hosted FreeScout help desk installations with OAuth integrations
- FreeScout instances using Microsoft 365/Exchange OAuth connections
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41194 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41194
Vulnerability Analysis
This CSRF vulnerability (CWE-352) stems from a fundamental security design issue in how FreeScout handles the OAuth disconnect action. The vulnerable endpoint /mailbox/oauth-disconnect/{id}/{in_out}/{provider} was implemented as a GET route rather than a state-changing POST request with proper CSRF protection. When a user with administrative privileges visits this URL, the application removes OAuth metadata from the specified mailbox and performs a redirect, without verifying the legitimacy of the request origin.
The lack of CSRF token validation means that any external website can embed this URL in an image tag, link, or iframe, triggering the disconnect action when visited by an authenticated administrator. This represents a clear violation of secure design principles where state-changing operations should be protected against cross-site request attacks.
Root Cause
The root cause is the implementation of a state-changing operation (OAuth disconnection) as a GET request without CSRF token validation in the MailboxesController.php file. GET requests are inherently vulnerable to CSRF attacks as they can be trivially triggered through image sources, link prefetching, or any mechanism that causes the browser to issue a GET request.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious webpage or email containing a link or embedded resource pointing to the vulnerable OAuth disconnect endpoint. When an authenticated FreeScout administrator visits the attacker's page, the browser automatically sends the request with the victim's session cookies, executing the OAuth disconnect action without the user's knowledge or consent.
// Vulnerable code in app/Http/Controllers/MailboxesController.php
// Before the fix, no CSRF token verification was performed
$mailbox = Mailbox::findOrFail($mailbox_id);
$this->authorize('admin', $mailbox);
+ if (csrf_token() != $request->token) {
+ return throw new \Illuminate\Session\TokenMismatchException;
+ }
+
// oAuth Disconnect.
$mailbox->removeMetaParam('oauth', true);
Source: GitHub Commit Update
Detection Methods for CVE-2026-41194
Indicators of Compromise
- Unexpected OAuth disconnection events in mailbox configuration logs
- User reports of email integration failures without administrator action
- Referrer logs showing external domains triggering the /mailbox/oauth-disconnect/ endpoint
- Multiple OAuth disconnection requests occurring in rapid succession
Detection Strategies
- Monitor web server access logs for GET requests to /mailbox/oauth-disconnect/ with external referrer headers
- Implement alerting for OAuth configuration changes in FreeScout mailbox settings
- Review application logs for unexpected TokenMismatchException errors after patching
- Correlate OAuth disconnect events with user activity to identify unauthorized actions
Monitoring Recommendations
- Enable detailed access logging for administrative routes in FreeScout
- Configure alerts for any changes to mailbox OAuth integration status
- Monitor for unusual patterns in administrative endpoint access from external referrers
- Implement session activity monitoring for mailbox administrators
How to Mitigate CVE-2026-41194
Immediate Actions Required
- Upgrade FreeScout to version 1.8.215 or later immediately
- Review mailbox OAuth configurations to ensure no unauthorized disconnections occurred
- Audit access logs for any suspicious requests to the OAuth disconnect endpoint
- Re-establish any OAuth connections that may have been maliciously disconnected
Patch Information
FreeScout has addressed this vulnerability in version 1.8.215. The fix adds CSRF token validation to the OAuth disconnect endpoint, requiring a valid token parameter to be included in the request. The patch modifies both the controller logic in MailboxesController.php and the view template connection.blade.php to generate and validate CSRF tokens for disconnect links.
Patch details are available in the GitHub Commit Update and the official GitHub Release Version 1.8.215.
Workarounds
- If immediate patching is not possible, consider temporarily disabling OAuth integrations
- Implement a web application firewall (WAF) rule to block external referrers from accessing the OAuth disconnect endpoint
- Restrict administrative access to FreeScout through VPN or IP whitelisting
- Educate administrators about the risks of clicking untrusted links while logged into FreeScout
# Example nginx configuration to block external referrers from OAuth disconnect endpoint
location ~ ^/mailbox/oauth-disconnect/ {
if ($http_referer !~ "^https?://(www\.)?yourdomain\.com") {
return 403;
}
# Pass to PHP-FPM as usual
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
