CVE-2026-50552
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
Koel is a free, open-source music streaming solution. Prior to version 9.7.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint, allowing the server to be coerced into making requests to arbitrary internal hosts.
Risk Assessment
This vulnerability may lead to unauthorized access to internal resources by authenticated non-admin users, posing a significant threat to data security.
Recommendation
It is recommended to upgrade to version 9.7.1 or later to mitigate this vulnerability and to review access policies for non-admin users.
Original NVD description (English source)
Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.

