GHSA-8Q6Q-M837-FV64: Authenticated Server-Side Request Forgery in Koel
Vulnerability ID: GHSA-8Q6Q-M837-FV64
CVSS Score: 6.4
Published: 2026-07-15
A Server-Side Request Forgery (SSRF) vulnerability in the open-source personal music streaming server Koel allows authenticated Subsonic API users to perform unauthorized network queries. This flaw resides in both the Subsonic podcast feed import routine and the subsequent redirect handling inside the podcast streaming helper, exposing private local networks and internal loopback systems to unauthorized reconnaissance and interaction.
TL;DR
Authenticated Subsonic API users can exploit SSRF vectors in Koel <= 9.6.0 to scan internal networks, loopback interfaces, and cloud metadata resources via unvalidated podcast feed imports and redirect-following stream helpers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network
- CVSS: 6.4
- Impact: Blind SSRF, Internal Port Scanning, Information Disclosure
- Exploit Status: PoC
- KEV Status: Not Listed
Affected Systems
- Koel streaming server
-
phanan/koel: <= 9.6.0 (Fixed in:
9.7.0)
Code Analysis
Commit: 1331f33
fix: close SSRF gaps in Subsonic podcast and internet radio endpoints (#2545)
Commit: c264a3d
fix: validate every redirect hop on outbound HTTP (#2546)
Mitigation Strategies
- Upgrade Koel to version 9.7.0 or above
- Configure network firewall egress rules to block private IP space from the Koel host
- Implement WAF signatures to validate URL parameters on Subsonic API endpoints
Remediation Steps:
- Inspect the running Koel version and verify if it is <= 9.6.0.
- Apply the patch release 9.7.0 using composer and standard deployment routines.
- Confirm that requests to local addresses inside Subsonic API endpoints are rejected with a validation error.
References
Read the full report for GHSA-8Q6Q-M837-FV64 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)