CVE-2026-26957: Libredesk has a SSRF Vulnerability in Webhooks

February 18, 2026 (updated February 20, 2026)

A critical security vulnerability exists in the LibreDesk Webhooks module that allows an authenticated “Application Admin” to compromise the underlying cloud infrastructure or internal corporate network where this service is being hosted.

The application fails to validate destination URLs for webhooks. This allows an attacker to force the server to make HTTP requests to arbitrary internal destinations.

References

github.com/abhinavxd/libredesk
github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316
github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438
github.com/advisories/GHSA-wgm6-9rvv-3438
nvd.nist.gov/vuln/detail/CVE-2026-26957

Code Behaviors & Features

Detect and mitigate CVE-2026-26957 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →