Koel: Server-Side Request Forgery (SSRF) in radio station creation due...

6.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.

Basic Information

ID CVE-2026-50552

Source GitHub_M

Published Jun 12, 2026 at 18:51

Affected Product

Vendor koel

Product koel

Version < 9.7.1

Affected Versions koel koel < 9.7.1

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule \u2014 which issues HTTP requests to the supplied URL \u2014 still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.",
    "published": "2026-06-12T18:51:46.028Z",
    "modified": "2026-06-12T18:51:46.028Z",
    "type": "cve",
    "title": "Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail",
    "source": "GitHub_M",
    "references": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw\nhttps://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6",
    "id": "CVE-2026-50552",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "koel koel < 9.7.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "koel",
    "version": "< 9.7.1",
    "vendor": "koel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail_CVE-2026-50552