CVE-2026-26957 Overview
CVE-2026-26957 is a Server-Side Request Forgery (SSRF) vulnerability affecting Libredesk, a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted.
Critical Impact
Authenticated attackers with Application Admin privileges can leverage this SSRF vulnerability to access internal network resources, potentially compromising cloud metadata services, internal APIs, and other infrastructure components that should not be externally accessible.
Affected Products
- Libredesk versions prior to 1.0.2-0.20260215211005-727213631ce6
- Self-hosted Libredesk deployments with webhook functionality enabled
- Cloud-hosted Libredesk instances with access to internal network services
Discovery Timeline
- 2026-02-20 - CVE-2026-26957 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26957
Vulnerability Analysis
This SSRF vulnerability exists in the webhook configuration functionality of Libredesk. The application fails to implement proper validation and sanitization of user-supplied webhook destination URLs. When an authenticated Application Admin configures a webhook endpoint, the server accepts arbitrary URLs without verifying whether they point to internal or restricted network destinations.
The vulnerability is exploitable via the network without requiring user interaction. While admin-level privileges are required to configure webhooks, a compromised admin account or malicious insider could leverage this weakness to probe and interact with internal services. This is particularly dangerous in cloud environments where instance metadata endpoints (such as 169.254.169.254) could be accessed, potentially exposing sensitive credentials and configuration data.
Root Cause
The root cause of this vulnerability is missing input validation for webhook destination URLs. The application did not implement an allowlist or blocklist mechanism to restrict webhook targets, nor did it validate URLs against internal IP ranges (RFC 1918 addresses, link-local addresses, or cloud metadata endpoints). The webhook manager accepted and processed any URL provided by an admin user without applying SSRF protection controls.
Attack Vector
An attacker with Application Admin credentials can configure malicious webhook URLs pointing to internal services. When the webhook is triggered, the Libredesk server initiates HTTP requests to the attacker-specified destination. This allows the attacker to:
- Access cloud metadata services to harvest instance credentials
- Probe internal network services and APIs
- Interact with internal databases or administrative interfaces
- Bypass network segmentation and firewall rules by using the server as a proxy
The following patch demonstrates how the fix introduces SSRF protection through an AllowedHosts configuration option:
QueueSize: ko.MustInt("webhook.queue_size"),
Timeout: ko.MustDuration("webhook.timeout"),
EncryptionKey: ko.MustString("app.encryption_key"),
+ AllowedHosts: ko.Strings("webhook.allowed_hosts"),
})
if err != nil {
log.Fatalf("error initializing webhook manager: %v", err)
Source: GitHub Commit Update
The configuration file was also updated to include SSRF protection settings:
queue_size = 10000
# HTTP timeout for webhook requests
timeout = "15s"
+# CIDR ranges allowed to bypass SSRF protection (e.g. ["10.0.0.0/8"])
+allowed_hosts = []
[conversation]
# How often to check for conversations to unsnooze
Source: GitHub Commit Update
Detection Methods for CVE-2026-26957
Indicators of Compromise
- Webhook configurations pointing to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Webhook URLs targeting cloud metadata endpoints (169.254.169.254)
- Unusual outbound HTTP requests from the Libredesk server to internal hosts
- Application Admin account activity creating or modifying webhooks with suspicious destination URLs
Detection Strategies
- Monitor webhook configuration changes in Libredesk audit logs for URLs containing internal IP addresses or localhost references
- Implement network-level monitoring to detect outbound HTTP requests from the Libredesk server to RFC 1918 address ranges
- Use intrusion detection systems to alert on attempts to access cloud metadata endpoints from application servers
- Review admin account login activity for signs of compromise or unusual access patterns
Monitoring Recommendations
- Enable comprehensive logging for all webhook-related operations including creation, modification, and execution
- Configure alerts for webhook configurations that include non-public IP addresses or known internal hostnames
- Monitor egress traffic from the Libredesk server for connections to internal network segments that should not be accessible
- Implement network segmentation monitoring to detect lateral movement attempts via SSRF exploitation
How to Mitigate CVE-2026-26957
Immediate Actions Required
- Upgrade Libredesk to version 1.0.2-0.20260215211005-727213631ce6 or later immediately
- Review all existing webhook configurations for potentially malicious destination URLs
- Audit Application Admin accounts for signs of compromise or unauthorized access
- Implement network segmentation to limit the impact of potential SSRF exploitation
Patch Information
The vulnerability has been addressed in Libredesk version 1.0.2-0.20260215211005-727213631ce6. The fix introduces an AllowedHosts configuration option that enables administrators to define CIDR ranges allowed to bypass SSRF protection. By default, the allowed_hosts list is empty, meaning SSRF protection is enforced for all webhook destinations.
For more details, see the GitHub Security Advisory GHSA-wgm6-9rvv-3438 and the security patch commit.
Workarounds
- Restrict Application Admin access to trusted personnel only until the patch can be applied
- Implement network-level egress filtering to block outbound HTTP requests from the Libredesk server to internal IP ranges
- Use a web application firewall to inspect and block webhook requests to suspicious destinations
- Consider disabling webhook functionality entirely if not critical to operations
# Configuration example for Libredesk webhook SSRF protection
# Add to config.toml after upgrading to patched version
[webhook]
queue_size = 10000
timeout = "15s"
# Leave allowed_hosts empty to enforce SSRF protection
# Only add CIDR ranges if internal webhook destinations are required
allowed_hosts = []
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
