CVE-2026-45294: CWE-203: Observable Discrepancy in freescout-help-desk freescout
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
AI Analysis
Technical Summary
FreeScout, a PHP Laravel-based help desk application, had a vulnerability (CVE-2026-45294) where its password reset endpoint returned different visual responses based on the existence of the submitted email address in the system. This observable discrepancy enables unauthenticated attackers to enumerate valid user email addresses, potentially aiding further targeted attacks. The vulnerability is classified under CWE-203 (Observable Discrepancy) and CWE-204 (Information Exposure Through Discrepancy). It affects versions prior to 1.8.219 and has a CVSS 3.1 base score of 5.3, indicating medium severity. No official patch or vendor advisory is provided in the data, but the issue is noted as fixed in version 1.8.219.
Potential Impact
The vulnerability allows unauthenticated attackers to confirm the existence of valid helpdesk agent email addresses by observing differences in password reset responses. This information disclosure can facilitate targeted phishing or social engineering attacks. There is no indication of direct compromise of confidentiality, integrity, or availability beyond this information exposure.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.219 or later, where this vulnerability is fixed. Since no official vendor advisory or patch link is provided, verify the upgrade from the official FreeScout release notes or repository to ensure the fix is applied. Patch status is not yet confirmed via vendor advisory; check official FreeScout sources for current remediation guidance.
CVE-2026-45294: CWE-203: Observable Discrepancy in freescout-help-desk freescout
Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FreeScout, a PHP Laravel-based help desk application, had a vulnerability (CVE-2026-45294) where its password reset endpoint returned different visual responses based on the existence of the submitted email address in the system. This observable discrepancy enables unauthenticated attackers to enumerate valid user email addresses, potentially aiding further targeted attacks. The vulnerability is classified under CWE-203 (Observable Discrepancy) and CWE-204 (Information Exposure Through Discrepancy). It affects versions prior to 1.8.219 and has a CVSS 3.1 base score of 5.3, indicating medium severity. No official patch or vendor advisory is provided in the data, but the issue is noted as fixed in version 1.8.219.
Potential Impact
The vulnerability allows unauthenticated attackers to confirm the existence of valid helpdesk agent email addresses by observing differences in password reset responses. This information disclosure can facilitate targeted phishing or social engineering attacks. There is no indication of direct compromise of confidentiality, integrity, or availability beyond this information exposure.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.219 or later, where this vulnerability is fixed. Since no official vendor advisory or patch link is provided, verify the upgrade from the official FreeScout release notes or repository to ensure the fix is applied. Patch status is not yet confirmed via vendor advisory; check official FreeScout sources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:14:43.201Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a19feb4e29bf47b500fc2ee
Added to database: 5/29/2026, 9:01:40 PM
Last enriched: 5/29/2026, 9:04:24 PM
Last updated: 5/31/2026, 4:54:47 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.