Libredesk has an SSRF Vulnerability via Webhooks_CVE-2026-26957

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.

Basic Information

ID CVE-2026-26957

Source GitHub_M

Published Feb 19, 2026 at 23:30

Affected Product

Vendor abhinavxd

Product github.com/abhinavxd/libredesk

Version < 1.0.2-0.20260215211005-727213631ce6

Affected Versions abhinavxd github.com/abhinavxd/libredesk < 1.0.2-0.20260215211005-727213631ce6

CWE Classification

CWE-209 CWE-918

References

{
    "lastseen": "",
    "description": "Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated \"Application Admin\" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.",
    "published": "2026-02-19T23:30:48.166Z",
    "modified": "2026-02-19T23:30:48.166Z",
    "type": "cve",
    "title": "Libredesk has an SSRF Vulnerability via Webhooks",
    "source": "GitHub_M",
    "references": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438\nhttps://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316",
    "id": "CVE-2026-26957",
    "bulletinFamily": "",
    "cwe": [
        "CWE-209",
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "abhinavxd github.com/abhinavxd/libredesk < 1.0.2-0.20260215211005-727213631ce6",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "github.com/abhinavxd/libredesk",
    "version": "< 1.0.2-0.20260215211005-727213631ce6",
    "vendor": "abhinavxd",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}