CVE-2026-26957
CVE-2026-26957 is a security vulnerability that is still awaiting full analysis and scoring.
Key facts
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-8412
- Published:
- Last modified:
Description
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed." Notes: none.
Frequently asked questions
- What is CVE-2026-26957?
- Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it. Anyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed." Notes: none.
- Is CVE-2026-26957 being actively exploited?
- It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
- How do I fix CVE-2026-26957?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-26957 have an EU (EUVD) identifier?
- Yes. CVE-2026-26957 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8412.
- When was CVE-2026-26957 published?
- CVE-2026-26957 was published on 2026-02-20 and last updated on 2026-06-09.