Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45294

CVE-2026-45294: FreeScout Information Disclosure Flaw

CVE-2026-45294 is an information disclosure vulnerability in FreeScout that allows attackers to enumerate valid helpdesk agent email addresses through the password reset endpoint. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-45294 Overview

FreeScout is a free help desk and shared inbox application built with PHP's Laravel framework. CVE-2026-45294 is a user enumeration vulnerability in the password reset endpoint of FreeScout versions prior to 1.8.219. The endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing helpdesk agent account. Unauthenticated attackers can abuse this behavior to enumerate valid agent email addresses without any authentication. The issue is tracked under [CWE-203] (Observable Discrepancy) and is fixed in FreeScout 1.8.219.

Critical Impact

Unauthenticated attackers can remotely enumerate valid FreeScout agent email accounts, enabling targeted phishing, credential stuffing, and brute-force attacks against the helpdesk.

Affected Products

  • FreeScout versions prior to 1.8.219
  • Self-hosted FreeScout help desk deployments exposing the password reset endpoint
  • Any FreeScout instance reachable over the network by unauthenticated clients

Discovery Timeline

  • 2026-05-29 - CVE-2026-45294 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-45294

Vulnerability Analysis

The vulnerability resides in FreeScout's password reset workflow. When a user submits an email address to the reset endpoint, the application generates a response that differs based on whether the email matches an existing account. An attacker can observe these differences and confirm which addresses correspond to active helpdesk agents. The flaw is categorized as [CWE-203] Observable Discrepancy. While it does not allow direct compromise of accounts or data, it provides reconnaissance value. Confirmed agent emails directly support follow-on attacks including credential stuffing, password spraying, and targeted phishing campaigns aimed at help desk personnel who often hold elevated access to ticketing data.

Root Cause

The root cause is inconsistent response handling in the password reset controller. Existing accounts and non-existent accounts produce visually different output. Secure password reset flows should return a single, generic response regardless of whether the submitted email exists. FreeScout's implementation prior to 1.8.219 did not normalize this output, exposing account presence as a side channel.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits candidate email addresses to the FreeScout password reset endpoint and inspects each response. By scripting requests against a list of plausible addresses, often derived from corporate domains or public sources, the attacker compiles a verified list of agent accounts. The technique is low-noise and difficult to distinguish from legitimate reset traffic without behavioral analytics. See the GitHub Security Advisory GHSA-jvmv-2qcp-7855 for vendor details.

// No verified exploit code is available. The flaw is exercised by
// submitting email addresses to the password reset endpoint and
// comparing response differences between valid and invalid accounts.

Detection Methods for CVE-2026-45294

Indicators of Compromise

  • High volumes of POST requests to the FreeScout password reset endpoint from a single source IP or small IP range
  • Sequential reset submissions iterating through many distinct email addresses in a short time window
  • Requests originating from anonymizing proxies, hosting providers, or known scanner infrastructure

Detection Strategies

  • Implement web server and application logging that captures the submitted email parameter and response size for each password reset request
  • Alert when a single client submits more than a defined threshold of unique email addresses to the reset endpoint within a short interval
  • Correlate password reset traffic with subsequent authentication attempts to identify reconnaissance preceding credential attacks

Monitoring Recommendations

  • Forward FreeScout web access logs to a centralized log platform for anomaly detection on the reset endpoint
  • Baseline normal password reset volume per source and alert on statistical outliers
  • Monitor for follow-on activity such as failed logins or successful authentications from IPs that previously enumerated email addresses

How to Mitigate CVE-2026-45294

Immediate Actions Required

  • Upgrade FreeScout to version 1.8.219 or later, which normalizes password reset responses
  • Place the FreeScout password reset endpoint behind rate limiting at the application or reverse proxy layer
  • Restrict administrative and reset interfaces to trusted networks or VPN where operationally feasible

Patch Information

The vulnerability is fixed in FreeScout 1.8.219. The patch ensures the password reset endpoint returns a uniform response regardless of whether the submitted email belongs to a registered account. Administrators should consult the FreeScout Security Advisory GHSA-jvmv-2qcp-7855 for upgrade guidance and verify the running version after deployment.

Workarounds

  • Apply strict rate limiting and CAPTCHA challenges to the password reset endpoint to slow enumeration attempts
  • Deploy a Web Application Firewall rule that blocks clients submitting many unique email values to the reset URL in a short interval
  • Require multi-factor authentication for all helpdesk agent accounts to reduce the impact of any harvested addresses
bash
# Example NGINX rate limit for the FreeScout password reset endpoint
limit_req_zone $binary_remote_addr zone=fs_reset:10m rate=5r/m;

location /password/email {
    limit_req zone=fs_reset burst=5 nodelay;
    proxy_pass http://freescout_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.