PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47260 koel CVE debrief

CVE-2026-47260 is a Server-Side Request Forgery (SSRF) vulnerability in Koel, a free, open-source music streaming solution. The vulnerability allows attackers to access internal services by exploiting the podcast feed URL validation mechanism. Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but fails to validate individual episode enclosure URLs extracted from the RSS XML. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL and streams it back to the user, enabling full-read SSRF against internal services. This issue has been patched in version 9.3.5.

Vendor
koel
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-13
Advisory published
2026-06-12
Advisory updated
2026-06-13

Who should care

Users of Koel music streaming solution, administrators of internal networks, and security teams should be aware of this vulnerability.

Technical summary

The vulnerability exists in the podcast feed URL validation mechanism of Koel. Specifically, Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but individual episode enclosure URLs extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get() and streams it back to the user, enabling full-read SSRF against internal services.

Defensive priority

High

Recommended defensive actions

  • Update Koel to version 9.3.5 or later.
  • Restrict access to internal services.
  • Monitor for suspicious activity.

Evidence notes

CVE-2026-47260 has a CVSS score of 7.7 and is classified as HIGH severity. The vulnerability was published on 2026-06-12T20:16:46.320Z and modified on 2026-06-13T04:17:32.807Z.

Official resources

CVE-2026-47260 was published on 2026-06-12T20:16:46.320Z and modified on 2026-06-13T04:17:32.807Z.