Deskpro Knowledge Base Voting Manipulation (CVE-2026-XXXXX)

Disclosure Date: 6 June 2026
Researcher: Paul Hutchinson, Lexiphanic Ltd
Severity: MEDIUM (CVSS v4.0: 4.3)
Status: Disclosed - Vendor does not consider this a security vulnerability

Summary

The Deskpro knowledge base voting system allows unauthenticated manipulation of article votes due to missing request validation, authentication requirements, and rate limiting. This enables any party to artificially inflate or reduce article vote counts, compromising data integrity and feedback metrics across all exposed Deskpro instances.

Product Information

• Vendor: Deskpro
• Product: Deskpro (core platform / knowledge base component)
• Affected Versions: All versions with public knowledge base enabled
• Affected Platform: Deskpro installations accessible to unauthenticated users (including deskpro/deskpro-product Docker images)
• Component: Knowledge Base article voting endpoints (vote-up, vote-down)

Vulnerability Details

Technical Description

The voting mechanism for knowledge base articles lacks fundamental security controls. The vote-up and vote-down endpoints accept unauthenticated POST requests without:

• Authentication or session validation
• User identity verification
• Rate limiting or throttling
• CSRF token validation
• CAPTCHA or anti-automation controls

This allows unlimited, automated manipulation of vote counts from any source.

Proof of Concept

The following requests can be executed repeatedly without restriction:

curl -X POST https://support.deskpro.com/en-US/kb/articles/1-organize-your-helpdesk-into-departments/vote-down

curl -X POST https://support.deskpro.com/en-US/kb/articles/1-organize-your-helpdesk-into-departments/vote-up

Each invocation immediately affects the stored vote count with no validation or throttling.

Video Demonstration:

Impact Assessment

Business Impact

• Article Credibility: Vote counts can be manipulated to mislead users about content quality
• Ranking Manipulation: Article visibility and search ranking can be artificially altered
• Reputation Attack: Targeted downvoting campaigns against specific documentation
• Analytics Corruption: Inflated or deflated metrics affect reporting and internal decisions
• Social Engineering: Malicious articles could be artificially promoted for phishing campaigns

CVSS v4.0 Score

Score: 4.3 (MEDIUM)

Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

• Attack Vector (AV:N): Network - remotely exploitable
• Attack Complexity (AC:L): Low - no special conditions required
• Attack Requirements (AT:N): None
• Privileges Required (PR:N): None - unauthenticated
• User Interaction (UI:N): None required
• Vulnerable System Confidentiality (VC:L): Low - vote metrics exposed
• Vulnerable System Integrity (VI:L): Low - data integrity compromised
• Vulnerable System Availability (VA:N): None

This represents a data integrity vulnerability rather than direct security access or data exposure.

Disclosure Timeline

Vendor Response

Deskpro's security team reviewed the report and responded that the knowledge base voting functionality is intentionally available to unauthenticated users to enable quick visitor feedback. They classified this as product behaviour rather than a security vulnerability.

The vendor indicated they would pass feedback to the relevant team for consideration of future improvements, such as additional abuse protections.

Despite the vendor's position, I proceeded with a CVE request to ensure transparent tracking across installations, as the absence of validation controls represents a data integrity issue that could have reputational and operational impact on public deployments.

Vendor did not provide additional response or vendor statement after follow-up.

Recommended Remediation

Organizations using Deskpro with public knowledge bases should consider the following mitigations:

Vendor-Side Fixes (Recommended)

1. Implement authentication requirement - Tie voting actions to authenticated user sessions
2. Server-side rate limiting - Apply per-user or per-IP throttling (e.g., 5 votes per hour)
3. CSRF protection - Add token validation to voting endpoints
4. CAPTCHA integration - Prevent automated abuse with human verification
5. IP fingerprinting - Track and limit votes from single sources
6. Cookie-based vote tracking - Use persistent identifiers to prevent duplicate votes

User-Side Mitigations

Until vendor fixes are available:

• Monitor vote analytics for unusual patterns or spikes
• Disable public voting if data integrity is critical
• Implement web application firewall (WAF) rules to rate-limit voting endpoints
• Use reverse proxy rate limiting as temporary protection

CVE Information

CVE ID: CVE-2026-XXXXX (pending assignment)
CNA: MITRE CNA of Last Resort
Classification: Data Integrity / Functional Abuse

References

• Deskpro Official Site
• Deskpro Docker Image
• CVSS v4.0 Calculator
• MITRE CVE Program

Credits

Discovered by: Paul Hutchinson
Organization: Lexiphanic Ltd
Contact: paul@lexiphanic.co.uk
GitHub: happypaul55

Responsible Disclosure

This vulnerability was disclosed following a 90-day responsible disclosure timeline. The vendor was given opportunity to:

• Acknowledge the issue within 48 hours
• Release a fix within 90 days
• Provide a vendor statement for CVE coordination

Public disclosure proceeded after the 90-day window, with no fix deployed and no vendor statement provided.

This research was conducted as part of Lexiphanic Ltd's ongoing security research program. If you have questions about this disclosure or would like to report a security issue, please contact paul@lexiphanic.co.uk.