CVE-2026-26957

Name of the Vulnerable Software and Affected Versions Libredesk versions prior to 1.0.2-0.20260215211005-727213631ce6

Description Libredesk, a self-hosted customer support desk application, is susceptible to a Server-Side Request Forgery (SSRF) issue in its Webhooks module. An authenticated "Application Admin" can exploit this to force the server to make HTTP requests to arbitrary internal destinations, potentially compromising the underlying cloud infrastructure or internal corporate network. The application fails to validate destination URLs for webhooks. Attackers can perform internal port scanning by observing connection success or failure, and potentially leak sensitive information through error-based responses, as the application logs the full response body on webhook delivery failures. The root cause lies in missing input validation in cmd/webhooks.go, an unrestricted HTTP client in internal/webhook/webhook.go, and verbose error logging. Specifically, the application does not check if the URL resolves to a private IP address. The HTTP client follows redirects and connects to any IP address.

Recommendations Versions prior to 1.0.2-0.20260215211005-727213631ce6 should be updated. Implement input validation to block URLs resolving to private IP ranges and Link-Local addresses. Utilize a custom http.Transport that verifies the destination IP address after DNS resolution to prevent DNS rebinding attacks.