Description
Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.
Published: 2026-06-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Koel allows an authenticated, non‑admin user to submit any URL when creating a radio station. Because the validation rule that should reject private or reserved addresses does not stop the subsequent HTTP request rule, the server will perform HEAD/GET calls to that URL. This lets an attacker force the server to contact arbitrary internal hosts, potentially exposing internal services or data.

Affected Systems

The vulnerability exists in Koel, the open‑source music streaming solution, in all releases prior to version 9.7.1. The affected product is Koel (koel:koel).

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity, and the EPSS score is less than 1 %, showing a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog. An attacker who can log in as a regular user can exploit the endpoint to probe internal network hosts. The lack of a bail keyword in the validation chain is the direct cause of the weakness.

Generated by OpenCVE AI on June 12, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Koel to version 9.7.1 or later.
  • If an upgrade is not immediately possible, restrict use of the radio station creation endpoint to admin users only.
  • Implement or enforce stricter URL validation that rejects private or reserved addresses before any outbound request is made.

Generated by OpenCVE AI on June 12, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Koel
Koel koel
Vendors & Products Koel
Koel koel

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.
Title Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Koel Koel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:51:46.028Z

Reserved: 2026-06-04T20:37:18.654Z

Link: CVE-2026-50552

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:47.080

Modified: 2026-06-12T20:16:47.080

Link: CVE-2026-50552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:00:19Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)