## SSRF Vulnerability in Webhooks ### Key Information **Package:** LibreDesk **Affected Versions:** Latest **Patched Versions:** None **CVE ID:** CVE-2026-26957 **Severity:** Medium **Weaknesses:** CWE-209, CWE-918 **Component:** Webhooks Module ### Executive Summary - **Description:** A critical security vulnerability exists in the LibreDesk Webhooks module that allows an authenticated "Application Admin" to compromise the underlying cloud infrastructure or internal corporate network. The application fails to validate destination URLs for webhooks, allowing HTTP requests to arbitrary internal destinations. ### Confirmed Attack Vectors 1. **Internal Port Scanning (Network Mapping)** - **Impact:** Attackers can identify running services on the local network. - **Proof of Exploitation:** - Open Port (8890): `timestamp=... level=info message="webhook delivered successfully" ... status_code=200` - Closed Port (8891): `timestamp=... level=error message="webhook delivery failed" ... error="... connection refused"` 2. **Information Leakage (Error-Based)** - **Impact:** Attackers can extract sensitive data by targeting endpoints that return errors. - **Proof of Exploitation:** - `timestamp=... level=error message="webhook delivery failed" ... response="{\"secret_key\": \"xxx123\", \"role\": \"admin\"}"` ### Technical Root Cause 1. **Missing Input Validation:** `cmd/webhooks.go` only checks if the URL is empty, not if it resolves to a private IP. 2. **Unrestricted HTTP Client:** `internal/webhook/webhook.go` uses a default `http.Client` that follows redirects and connects to any IP. 3. **Verbose Error Logging:** The application logs the full response body on failure. ### Remediation Required 1. **Input Validation:** Block URLs resolving to private IP ranges and Link-Local addresses. 2. **Safe HTTP Client:** Use a custom `http.Transport` that verifies the destination IP address after DNS resolution.