CVE-2026-45294— FreeScout: User Account Enumeration via Password Reset Response Differentiation
Possible ATT&CK Techniques 1AI
T1589.001 · CredentialsGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45294
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreeScout: User Account Enumeration via Password Reset Response Differentiation
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过差异性导致的信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| freescout-help-desk | freescout | < 1.8.219 | - |
II. Public POCs for CVE-2026-45294
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45294
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45294 (1)
Same Patch Batch · freescout-help-desk · 2026-05-29 · 4 CVEs total
| CVE-2026-47123 | 7.5 HIGH | FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message |
| CVE-2026-48811 | 4.3 MEDIUM | FreeScout: Thread Deletion Bypasses Mailbox Access Revocation |
| CVE-2026-48810 | 4.3 MEDIUM | FreeScout: Thread Edit Authorization Bypass via Missing Mailbox Check |
IV. Related Vulnerabilities
Same product: freescout
- CVE-2026-47123
FreeScout: Agent Impersonation via Missing HMAC Verification - CVE-2026-48810
FreeScout: Thread Edit Authorization Bypass via Missing Mail - CVE-2026-48811
FreeScout: Thread Deletion Bypasses Mailbox Access Revocatio - CVE-2026-41906
FreeScout: Conversation Change-Customer Cross-Mailbox Author - CVE-2026-41905
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl:
Same vendor: freescout-help-desk
- CVE-2026-47123
FreeScout: Agent Impersonation via Missing HMAC Verification - CVE-2026-48810
FreeScout: Thread Edit Authorization Bypass via Missing Mail - CVE-2026-48811
FreeScout: Thread Deletion Bypasses Mailbox Access Revocatio - CVE-2026-41906
FreeScout: Conversation Change-Customer Cross-Mailbox Author - CVE-2026-41905
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl:
Same weakness: CWE-203
- CVE-2026-45410
Time-based user enumeration in TREK authentication endpoint - CVE-2026-44263
Weblate: Private Translation Enumeration via Screenshot API - CVE-2023-5872
Wago: Vulnerability in Smart Designer Web-Application - CVE-2026-33429
Parse Server: Protected field change detection oracle via Li - CVE-2026-33425
Discourse has inferable private group membership or existenc
V. Comments for CVE-2026-45294
No comments yet