Libredesk is a self-hosted customer support desk application used to manage customer interactions. Versions prior to 1.0.2-0.20260215211005-727213631ce6 contain a vulnerability identified as CVE-2026-26957, which stems from improper validation of destination URLs configured for webhooks. An authenticated attacker with Application Admin privileges can exploit this flaw to coerce the Libredesk server into making HTTP requests to arbitrary internal or cloud infrastructure endpoints. This behavior constitutes a server-side request forgery (SSRF) vulnerability (CWE-918). Additionally, the vulnerability involves generation of error messages that may leak sensitive information (CWE-209), potentially aiding attackers in reconnaissance or further exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond Application Admin, no user interaction, and limited scope impact. Exploitation could allow attackers to pivot into internal networks or cloud environments hosting the Libredesk instance, potentially exposing sensitive data or enabling further compromise. The vulnerability has been addressed in version 1.0.2-0.20260215211005-727213631ce6, which properly validates webhook destination URLs to prevent SSRF attacks.

The primary impact of this vulnerability is the potential compromise of internal corporate networks or cloud infrastructure where Libredesk is hosted. Attackers with Application Admin access can leverage SSRF to access internal services that are otherwise inaccessible externally, potentially exposing sensitive data, internal APIs, or management interfaces. This can lead to unauthorized data disclosure, lateral movement within the network, or disruption of services. Organizations using Libredesk in sensitive environments or with critical internal services accessible only internally are at higher risk. Although exploitation requires authenticated Application Admin privileges, the risk remains significant because such roles often have broad access and may be targeted via credential theft or insider threats. The vulnerability does not require user interaction and can be exploited remotely, increasing its threat potential. No known active exploits have been reported yet, but the presence of this vulnerability in customer support software used globally means that organizations should prioritize patching to prevent future attacks.

Organizations should immediately upgrade Libredesk to version 1.0.2-0.20260215211005-727213631ce6 or later, which contains the fix for this vulnerability. Until patching is complete, restrict Application Admin privileges to trusted personnel only and monitor webhook configuration changes closely. Implement network segmentation and firewall rules to limit the Libredesk server’s ability to make outbound HTTP requests to internal or sensitive network segments. Employ web application firewalls (WAFs) with SSRF detection capabilities to detect and block suspicious outbound requests originating from the application. Review and audit error message handling to ensure no sensitive information is leaked in logs or responses. Conduct regular security assessments and penetration tests focusing on SSRF and privilege abuse scenarios in the environment. Additionally, enforce strong authentication and credential management practices to reduce the risk of Application Admin account compromise.