PatchSiren cyber security CVE debrief
CVE-2026-50552 koel CVE debrief
CVE-2026-50552 is a Server-Side Request Forgery (SSRF) vulnerability in Koel, a free, open-source music streaming solution. The vulnerability affects Koel prior to version 9.7.1. The SSRF vulnerability is located in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, allowing the HasAudioContentType rule to execute even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. This allows any authenticated, non-admin user to coerce the server into making HEAD/GET requests to arbitrary internal hosts.
- Vendor
- koel
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Koel prior to version 9.7.1 should apply the patch to prevent exploitation of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 6.3 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The weakness is classified as CWE-918.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Koel version 9.7.1 or later.
- Restrict access to the radio station creation endpoint to admin users only.
- Implement additional security measures to detect and prevent SSRF attacks.
Evidence notes
The vulnerability was patched in version 9.7.1. References: [ref-4](https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6), [ref-5](https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw).
Official resources
CVE-2026-50552 was published on 2026-06-12T20:16:47.080Z.