CVE-2026-50552: Server-Side Request Forgery via Validation Bypass in Koel
Vulnerability ID: CVE-2026-50552
CVSS Score: 6.3
Published: 2026-07-15
An authenticated Server-Side Request Forgery (SSRF) vulnerability in Koel, an open-source personal music streaming server, allows remote attackers to probe internal hosts and loopback addresses. The vulnerability arises due to a missing 'bail' validation rule in the Laravel-based form validation pipeline, which permits downstream HTTP checks to execute even after a URL has failed security verification.
TL;DR
A missing validation halt keyword allows Koel's HTTP client to initiate connection probes to internal and loopback IP addresses even after the URL is marked unsafe.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918 (Server-Side Request Forgery)
- Attack Vector: Network (AV:N)
- CVSS v3.1 Score: 6.3 (Medium)
- EPSS Score: 0.0016
- EPSS Percentile: 5.55%
- Exploit Status: Proof of Concept / Public Details Available
- CISA KEV Status: Not Listed
Affected Systems
- Koel streaming servers deployed on private networks or hosting platforms.
-
Koel: < 9.7.1 (Fixed in:
9.7.1)
Code Analysis
Commit: 5f6ce2c
Add bail rule to radio requests and fix potential SSRF issues
Mitigation Strategies
- Upgrade the Koel application instance to version 9.7.1 or higher to enforce proper validation termination.
- Restrict outbound network access from the Koel application container to internal subnets (RFC 1918) and the local loopback interface.
- Utilize Web Application Firewall (WAF) rules to detect and reject validation requests containing internal IP configurations.
Remediation Steps:
- Navigate to the root directory of the Koel deployment.
- Pull the latest codebase updates using the repository manager: git pull origin master
- Re-install dependencies using Composer: composer install --no-dev
- Synchronize system state using the Artisan command-line tool: php artisan koel:sync
References
- GitHub Security Advisory GHSA-jr4p-4xjh-fwvw
- Official Fix Commit
- CVE Record Database
- NVD Vulnerability Detail
- Koel Release v9.7.1
Read the full report for CVE-2026-50552 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)