CVE-2026-26957

Vulnerability Description

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.

Related Weaknesses (CWE)

References

• https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78
• https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438

FAQ

What is CVE-2026-26957?

CVE-2026-26957 is a documented vulnerability. Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an au...

How severe is CVE-2026-26957?

CVSS scoring is not yet available for CVE-2026-26957. Check NVD for updates.

Is there a patch for CVE-2026-26957?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.