CVE-2026-45294: FreeScout User Enumeration in Password Reset Endpoint
FreeScout, a Laravel-based open-source help desk platform, leaks information about whether an email address is registered as a helpdesk agent account. An attacker can repeatedly submit email addresses to the password reset feature and observe different visual responses that reveal which accounts exist—a technique called user enumeration. This flaw affects all versions before 1.8.219 and requires no authentication or user interaction to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-203, CWE-204
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an information disclosure flaw in FreeScout's password reset endpoint (CWE-203: Observable Discrepancy, CWE-204: Observable Timing Discrepancy). When an unauthenticated user submits an email address, the endpoint returns visually distinct responses based on whether that address corresponds to an existing agent account. This allows systematic enumeration of valid helpdesk user identities without authentication. The issue is patched in version 1.8.219 by normalizing response behavior regardless of account existence.
Business impact
User enumeration weakens the security perimeter of a help desk deployment by allowing attackers to build a roster of valid agent email addresses without triggering alerts. This reconnaissance lowers the barrier to subsequent targeted attacks—such as credential stuffing, phishing, or social engineering against known staff members. For organizations running FreeScout as their primary support channel, this indirect exposure can compromise agent account security and ultimately affect customer data confidentiality.
Affected systems
FreeScout versions prior to 1.8.219 are affected. The vulnerability is present in the password reset endpoint and does not require specific configuration or plugins to be enabled. Any FreeScout installation accessible via HTTP(S) is potentially exploitable.
Exploitability
Exploitability is high from a practical standpoint: no authentication is required, the attack is trivial to automate, and the vulnerable endpoint is a standard feature of every FreeScout deployment. The CVSS score of 5.3 (MEDIUM) reflects limited direct impact—no data is stolen, systems are not compromised—but the reconnaissance value to attackers is substantial. The attack requires only network access and incurs minimal operational noise.
Remediation
Upgrade FreeScout to version 1.8.219 or later immediately. For organizations unable to patch promptly, consider network-level mitigations: restrict access to the password reset endpoint via WAF rules or IP allowlisting, monitor for high-velocity requests to that endpoint, and consider temporarily disabling password reset if the help desk uses single sign-on or alternative credential recovery.
Patch guidance
Apply version 1.8.219 or any subsequent release. Verify the patch is in place by attempting to confirm the version in your FreeScout admin panel or examining the release notes. If you maintain a custom deployment, ensure all files in the authentication module are updated and any caching layers (Redis, memcached) are cleared post-deployment.
Detection guidance
Monitor password reset endpoint activity for anomalous request patterns: high volume of requests from a single IP, requests cycling through a large list of email addresses, or requests with malformed payloads designed to extract timing differences. Log and alert on response code or timing variance. Implement rate limiting on the password reset endpoint (e.g., 5 requests per IP per 10 minutes) to naturally constrain enumeration attacks.
Why prioritize this
Although the CVSS score is MEDIUM (5.3), this vulnerability should be prioritized for remediation within 2–4 weeks because it enables reconnaissance that often precedes more damaging attacks against help desk staff. User enumeration is a low-noise technique that leaves minimal forensic traces and is frequently paired with phishing or credential attacks. Early patching blocks a reconnaissance vector that attackers actively seek in support desk systems.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects a low confidentiality impact (unauthenticated users learn email addresses) with no integrity or availability impact. The attack vector is network-based and requires no privileges or user interaction, making it trivially exploitable. The score appropriately penalizes the information disclosure but does not amplify the reconnaissance value or downstream attack chain risk, which are business and threat-model factors that security teams should layer on top of the base score.
Frequently asked questions
Can this vulnerability allow attackers to reset accounts they don't own?
No. The vulnerability only discloses whether an email address is registered; it does not bypass authentication or grant unauthorized password reset capability. Attackers cannot reset an account without also owning the corresponding email address.
Do we need to patch if our FreeScout instance is behind a VPN or IP allowlist?
Yes. While network segmentation reduces attack surface, the vulnerability itself is not eliminated. An insider, compromised VPN credential holder, or attacker who gains network access can still enumerate accounts. Patch to remove the information disclosure entirely.
What should we do if we suspect someone has enumerated our helpdesk agent list?
Review access logs for the password reset endpoint during the suspected timeframe, looking for high-frequency or automated request patterns. Cross-reference IPs and user-agents with known threat intelligence. If enumeration is confirmed, assume the attacker knows your agent email addresses and elevate monitoring on those accounts for phishing, credential reuse, and lateral movement attempts.
Does the fix change the user experience for legitimate password resets?
No. Version 1.8.219 normalizes the response so all users see the same message and response timing, whether or not their email is registered. Legitimate users will not notice a difference; attackers simply lose the ability to distinguish registered from unregistered addresses.
This analysis is provided for informational purposes and represents SEC.co's assessment based on available vendor disclosures and public information current as of the analysis date. Patch availability, version numbering, and affected product ranges should be verified against official FreeScout advisories before remediation decisions are made. Organizations should conduct their own risk assessment based on deployment context, threat exposure, and business criticality. This vulnerability intelligence does not constitute legal advice or a guarantee of security. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45410MEDIUMTREK User Enumeration via Login Timing Analysis
- CVE-2026-45620MEDIUMWWBN AVideo User Enumeration Vulnerability (Medium)
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11