CVE Catalog

CVE-2026-50552

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile - higher than 6% of all known CVEs

Summary

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint, allowing the server to be coerced into making requests to arbitrary internal hosts.

Risk Assessment

This vulnerability may lead to unauthorized access to internal resources by authenticated non-admin users, posing a significant threat to data security.

Recommendation

It is recommended to upgrade to version 9.7.1 or later to mitigate this vulnerability and to review access policies for non-admin users.

Original NVD description (English source)

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS