CVE-2026-50552 MEDIUM

CVE-2026-50552: Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail

Vendor Koel
Product koel
Weakness CWE-918 · SSRF
Published June 12, 2026
Last update June 15, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

04Related CVE