CVE-2026-26957 - Vulnerability Details

Description

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed." Notes: none.

Published: 2026-02-19

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a user who is logged in as an authenticated Application Admin to specify arbitrary webhook destination URLs that are not validated by the server. By triggering the webhook mechanism, the application will make HTTP or HTTPS requests to the provided URL, effectively turning the server into a client capable of reaching any internal or external endpoint reachable from the server's network. This can lead to exposure of sensitive internal services, data exfiltration, or the ability to orchestrate further attacks against the infrastructure where Libredesk is hosted.

Affected Systems

Libredesk, a self‑hosted customer support desk application, is affected in all releases prior to version 1.0.2-0.20260215211005-727213631ce6. The fix was applied in the referenced commit and released in that specific version.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog, further indicating its current standing as an unexploited or low‑profile flaw. Attackers would need the credentials of an Application Admin to activate the webhook, after which the server could be coerced to reach protected internal resources or other services, potentially compromising the underlying cloud or corporate network.

No data.

Vendor Product Confidence Versions

Abhinavxd

Libredesk

95%

Version	Status	Scheme	Platform
`[0,1.0.2-0.20260215211005-727213631ce6)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Libredesk to version 1.0.2-0.20260215211005-727213631ce6 or later, which adds validation for webhook destinations.
If an upgrade cannot be performed immediately, restrict the use of webhooks to a small subset of trusted users or disable the webhook feature entirely for the affected accounts.
Implement network segmentation or firewall rules to block outbound requests from the Libredesk application to internal IP ranges, reducing the impact of any remaining SSRF risk.

Generated by OpenCVE AI on April 17, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wgm6-9rvv-3438	Withdrawn Advisory: Libredesk has a SSRF Vulnerability in Webhooks

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Key SSVC decision points have not yet been added.

References

No reference.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title	Libredesk has an SSRF Vulnerability via Webhooks
Weaknesses	CWE-209 CWE-918
References	https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316 https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438
Metrics	cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description	Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed." Notes: none.
Metrics	cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`	cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Fri, 20 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Abhinavxd Abhinavxd libredesk
Vendors & Products		Abhinavxd Abhinavxd libredesk

Fri, 20 Feb 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.
Title		Libredesk has an SSRF Vulnerability via Webhooks
Weaknesses		CWE-209 CWE-918
References		https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316 https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

Abhinavxd Libredesk

MITRE

Status: REJECTED

Assigner: GitHub_M

Published: 2026-02-19T23:30:48.166Z

Updated: 2026-06-09T13:17:52.368Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26957

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-02-20T00:16:15.840

Modified: 2026-06-09T14:16:37.850

Link: CVE-2026-26957

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object