CVE-2026-26957

Libredesk has an SSRF Vulnerability via Webhooks

Assigner: GitHub_M
Reserved: 16.02.2026 Published: 19.02.2026 Updated: 20.02.2026

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	abhinavxd
Product	github.com/abhinavxd/libredesk
Versions	Version < 1.0.2-0.20260215211005-727213631ce6 is affected

Vendor

abhinavxd

Product

github.com/abhinavxd/libredesk

Versions

Version < 1.0.2-0.20260215211005-727213631ce6 is affected

References

Problem Types

CWE-209: Generation of Error Message Containing Sensitive Information CWE
CWE-918: Server-Side Request Forgery (SSRF) CWE

CVE-2026-26957 PUBLISHED

Libredesk has an SSRF Vulnerability via Webhooks

Metrics

Product Status

References

Problem Types