DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-50552: CVE-2026-50552: Server-Side Request Forgery via Validation Bypass in Koel

CVE-2026-50552: Server-Side Request Forgery via Validation Bypass in Koel

Vulnerability ID: CVE-2026-50552
CVSS Score: 6.3
Published: 2026-07-15

An authenticated Server-Side Request Forgery (SSRF) vulnerability in Koel, an open-source personal music streaming server, allows remote attackers to probe internal hosts and loopback addresses. The vulnerability arises due to a missing 'bail' validation rule in the Laravel-based form validation pipeline, which permits downstream HTTP checks to execute even after a URL has failed security verification.

TL;DR

A missing validation halt keyword allows Koel's HTTP client to initiate connection probes to internal and loopback IP addresses even after the URL is marked unsafe.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918 (Server-Side Request Forgery)
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 6.3 (Medium)
  • EPSS Score: 0.0016
  • EPSS Percentile: 5.55%
  • Exploit Status: Proof of Concept / Public Details Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Koel streaming servers deployed on private networks or hosting platforms.
  • Koel: < 9.7.1 (Fixed in: 9.7.1)

Code Analysis

Commit: 5f6ce2c

Add bail rule to radio requests and fix potential SSRF issues

Mitigation Strategies

  • Upgrade the Koel application instance to version 9.7.1 or higher to enforce proper validation termination.
  • Restrict outbound network access from the Koel application container to internal subnets (RFC 1918) and the local loopback interface.
  • Utilize Web Application Firewall (WAF) rules to detect and reject validation requests containing internal IP configurations.

Remediation Steps:

  1. Navigate to the root directory of the Koel deployment.
  2. Pull the latest codebase updates using the repository manager: git pull origin master
  3. Re-install dependencies using Composer: composer install --no-dev
  4. Synchronize system state using the Artisan command-line tool: php artisan koel:sync

References


Read the full report for CVE-2026-50552 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)