PatchSiren cyber security CVE debrief
CVE-2026-45294 freescout-help-desk CVE debrief
CVE-2026-45294 is a user enumeration vulnerability in FreeScout, a PHP Laravel-based help desk and shared inbox application. The vulnerability exists in the password reset endpoint prior to version 1.8.219, where the application returns visually distinct responses depending on whether a submitted email address corresponds to an existing user account. This behavioral discrepancy allows unauthenticated remote attackers to systematically identify valid helpdesk agent email addresses, which can be leveraged for subsequent targeted attacks such as credential stuffing, phishing campaigns, or social engineering. The vulnerability is classified as CWE-203 (Observable Discrepancy) and CWE-204 (Observable Response Discrepancy). The issue has been resolved in FreeScout version 1.8.219.
- Vendor
- freescout-help-desk
- Product
- freescout
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating FreeScout help desk instances, particularly those with externally accessible login portals. Security teams responsible for identity and access management infrastructure. Managed service providers hosting FreeScout deployments for multiple clients.
Technical summary
The FreeScout application's password reset functionality exhibits an observable discrepancy in server responses based on the existence of the submitted email address in the user database. Prior to version 1.8.219, valid and invalid email submissions produce distinguishable visual responses, enabling unauthenticated attackers to enumerate registered agent accounts. This information disclosure vulnerability requires no authentication, no user interaction, and is exploitable over the network with low attack complexity. The confidentiality impact is rated LOW as the vulnerability only exposes the existence of accounts rather than sensitive data directly. No integrity or availability impacts are associated with this weakness.
Defensive priority
medium
Recommended defensive actions
- Upgrade FreeScout to version 1.8.219 or later to eliminate the observable response discrepancy in the password reset endpoint.
- If immediate patching is not feasible, implement rate limiting on the password reset endpoint to reduce the feasibility of systematic enumeration attacks.
- Monitor authentication logs for patterns indicative of enumeration attempts, such as rapid sequential requests to the password reset endpoint from single or distributed source addresses.
- Consider implementing additional access controls or CAPTCHA mechanisms on the password reset form to increase attacker effort.
- Review and audit existing user accounts for unauthorized access attempts following the disclosure window, particularly for accounts with elevated privileges.
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-jvmv-2qcp-7855. CVSS 3.1 score of 5.3 (MEDIUM) assigned with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. NVD status currently 'Deferred'. Fix version 1.8.219 explicitly confirmed in advisory.
Official resources
-
CVE-2026-45294 CVE record
CVE.org
-
CVE-2026-45294 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29