Description
Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.
Published: 2026-02-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a user who is logged in as an authenticated Application Admin to specify arbitrary webhook destination URLs that are not validated by the server. By triggering the webhook mechanism, the application will make HTTP or HTTPS requests to the provided URL, effectively turning the server into a client capable of reaching any internal or external endpoint reachable from the server's network. This can lead to exposure of sensitive internal services, data exfiltration, or the ability to orchestrate further attacks against the infrastructure where Libredesk is hosted.

Affected Systems

Libredesk, a self‑hosted customer support desk application, is affected in all releases prior to version 1.0.2-0.20260215211005-727213631ce6. The fix was applied in the referenced commit and released in that specific version.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog, further indicating its current standing as an unexploited or low‑profile flaw. Attackers would need the credentials of an Application Admin to activate the webhook, after which the server could be coerced to reach protected internal resources or other services, potentially compromising the underlying cloud or corporate network.

Generated by OpenCVE AI on April 17, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Libredesk to version 1.0.2-0.20260215211005-727213631ce6 or later, which adds validation for webhook destinations.
  • If an upgrade cannot be performed immediately, restrict the use of webhooks to a small subset of trusted users or disable the webhook feature entirely for the affected accounts.
  • Implement network segmentation or firewall rules to block outbound requests from the Libredesk application to internal IP ranges, reducing the impact of any remaining SSRF risk.

Generated by OpenCVE AI on April 17, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wgm6-9rvv-3438 Libredesk has a SSRF Vulnerability in Webhooks
History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Abhinavxd
Abhinavxd libredesk
Vendors & Products Abhinavxd
Abhinavxd libredesk

Fri, 20 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.
Title Libredesk has an SSRF Vulnerability via Webhooks
Weaknesses CWE-209
CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Abhinavxd Libredesk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:36:49.120Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26957

cve-icon Vulnrichment

Updated: 2026-02-20T15:31:51.199Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T00:16:15.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses