{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.611Z", "datePublished": "2026-02-19T23:30:48.166Z", "dateUpdated": "2026-06-09T13:17:52.368Z", "dateRejected": "2026-06-09T13:17:52.368Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: \"Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed.\" Notes: none."}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-09T13:17:52.368Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.611Z", "datePublished": "2026-02-19T23:30:48.166Z", "dateUpdated": "2026-06-09T13:17:52.368Z", "dateRejected": "2026-06-09T13:17:52.368Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: \"Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed.\" Notes: none."}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-09T13:17:52.368Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: \"Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed.\" Notes: none."}], "id": "CVE-2026-26957", "lastModified": "2026-06-09T14:16:37.850", "metrics": {}, "published": "2026-02-20T00:16:15.840", "references": [], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.2-0.20260215211005-727213631ce6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "github.com/abhinavxd/libredesk", "source": "cna", "vendor": "abhinavxd"}, "product": "libredesk", "vendor": "abhinavxd"}], "analysis": {"en": {"generated_at": "2026-04-17T17:41:54.760027+00:00", "value": {"mitigation_remediation": ["Upgrade Libredesk to version 1.0.2-0.20260215211005-727213631ce6 or later, which adds validation for webhook destinations.", "If an upgrade cannot be performed immediately, restrict the use of webhooks to a small subset of trusted users or disable the webhook feature entirely for the affected accounts.", "Implement network segmentation or firewall rules to block outbound requests from the Libredesk application to internal IP ranges, reducing the impact of any remaining SSRF risk."], "summary": {"action": "Apply Patch", "impact": "Remote Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Libredesk, a self\u2011hosted customer support desk application, is affected in all releases prior to version 1.0.2-0.20260215211005-727213631ce6. The fix was applied in the referenced commit and released in that specific version.", "description_and_impact": "The vulnerability allows a user who is logged in as an authenticated Application Admin to specify arbitrary webhook destination URLs that are not validated by the server. By triggering the webhook mechanism, the application will make HTTP or HTTPS requests to the provided URL, effectively turning the server into a client capable of reaching any internal or external endpoint reachable from the server's network. This can lead to exposure of sensitive internal services, data exfiltration, or the ability to orchestrate further attacks against the infrastructure where Libredesk is hosted.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity, and the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog, further indicating its current standing as an unexploited or low\u2011profile flaw. Attackers would need the credentials of an Application Admin to activate the webhook, after which the server could be coerced to reach protected internal resources or other services, potentially compromising the underlying cloud or corporate network."}}}}, "created": "2026-02-20T09:53:18.125265+00:00", "updated": "2026-04-17T17:45:24.348766+00:00", "vendors": ["abhinavxd", "abhinavxd$PRODUCT$libredesk"]}