Description
Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.
Published: 2026-06-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Koha library management system through version 25.11 contains a server‑side request forgery flaw in the Z39.50/SRU server configuration. The flaw allows an attacker who has authenticated access to the Koha instance to specify arbitrary target hosts in the configuration, causing the server to make HTTP(S) requests to internal addresses. By analyzing response timings, the attacker can map the internal network and discover services. This is a pure SSRF, not an arbitrary code execution flaw; it is classified as CWE‑918. The potential impact is unauthorized internal network reconnaissance, which could lead to further attacks if other vulnerabilities exist.

Affected Systems

Koha library management system, versions up to and including 25.11, when the Z39.50/SRU configuration module is enabled. The vulnerability requires authentication to the Koha web interface and network access to the Z39.50 service port.

Risk and Exploitability

The CVSS score of 6.5 represents medium severity. The EPSS score of less than 1% indicates a low probability that the flaw will be actively exploited. The vulnerability is not listed in the CISA KEV catalog. Attackers must already have authorized access to the Koha instance to exploit SSRF; the impact is limited to internal reconnaissance, though it can enable subsequent, more severe attacks if other weaknesses are present. The key weakness is the lack of input validation when parsing the Z39.50 configuration, manifesting as a server‑side request forgery.

Generated by OpenCVE AI on June 4, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Koha to any release newer than 25.11 where the Z39.50 configuration issue is fixed.
  • Restrict network exposure to the Z39.50 service by allowing traffic only from trusted IP ranges or by placing the service behind a firewall.
  • If the Z39.50 feature is not required, disable it; if it is required, apply strict input validation to the configuration interface to reject disallowed characters and values, thereby preventing injection attempts.

Generated by OpenCVE AI on June 4, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Koha
Koha koha
CPEs cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
Vendors & Products Koha
Koha koha

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Koha SSRF via Z39.50 Configuration Enables Internal Network Scanning

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in Koha v.25.11 and before allows a remote attacker to execute arbitrary code via the Z39.50 configuration module Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.

Thu, 04 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Z39.50 Configuration in Koha
Weaknesses CWE-78
CWE-94

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Z39.50 Configuration in Koha
First Time appeared Koha-community
Koha-community koha
Weaknesses CWE-78
CWE-94
Vendors & Products Koha-community
Koha-community koha

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue in Koha v.25.11 and before allows a remote attacker to execute arbitrary code via the Z39.50 configuration module
References

Subscriptions

Koha Koha
Koha-community Koha
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T16:19:25.366Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26379

cve-icon Vulnrichment

Updated: 2026-06-04T12:27:33.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T19:16:25.647

Modified: 2026-06-04T18:54:11.703

Link: CVE-2026-26379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T17:30:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)