CVE-2026-26957
Libredesk has an SSRF Vulnerability via Webhooks
Description
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed." Notes: none.
INFO
Published Date :
Feb. 20, 2026, 12:16 a.m.
Last Modified :
June 9, 2026, 2:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | MEDIUM | [email protected] |
Solution
- Update Libredesk to version 1.0.2-0.20260215211005-727213631ce6.
- Validate webhook destination URLs are properly restricted.
Public PoC/Exploit Available at Github
CVE-2026-26957 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
# مستودع asrar-mared هذا هو المستودع الرئيسي لمجموعة **المارد الرقمي**، نقطة التحكم المركزية التي تجمع كل المشاريع والميول التقنية تحت راية واحدة. يمثل الأساس الذي تُبنى عليه الفروع الأخرى، ويُدار منه كل شيء من تنظيم الكود إلى إدارة المجتمع. للاطلاع على المستودع: [asrar-mared](https://github.com/asrar-mared)
HTML CSS
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-26957 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-26957 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Rejected by [email protected]
Jun. 09, 2026
Action Type Old Value New Value -
CVE Modified by [email protected]
Jun. 09, 2026
Action Type Old Value New Value Changed Description Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6. Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed." Notes: none. Removed CVSS V4.0 GitHub, Inc.: AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Removed CWE GitHub, Inc.: CWE-918 Removed CWE GitHub, Inc.: CWE-209 Removed Reference GitHub, Inc.: https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316 Removed Reference GitHub, Inc.: https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438 -
New CVE Received by [email protected]
Feb. 20, 2026
Action Type Old Value New Value Added Description Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-918 Added CWE CWE-209 Added Reference https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316 Added Reference https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438