Koel Authenticated Full-Read SSRF via Subsonic Internet Radio Stations
An authenticated user can exploit a Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-54493, in Koel v9.6.0 via the Subsonic-compatible radio endpoints, which lack proper URL validation, allowing the server to fetch and return the body of internal network resources.
A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-54493, has been discovered in Koel versions up to and including v9.6.0. This flaw affects the Subsonic-compatible radio endpoints, specifically createInternetRadioStation.view and updateInternetRadioStation.view, which do not enforce the same URL validation as the regular web API. An authenticated attacker can exploit this by crafting a request to these endpoints, supplying a malicious streamUrl parameter pointing to an internal or private network resource. When the created or updated radio station is subsequently played, the Koel server initiates a server-side request to the attacker-controlled URL. Unlike blind SSRF, this vulnerability allows the attacker to receive the full response body from the internal resource, facilitating internal HTTP reconnaissance, access to sensitive internal HTTP services, and potential data exfiltration from the server's network. The issue was validated against phanan/koel:9.6.0 image.
Attack Chain
- An authenticated attacker obtains valid API and Subsonic API keys for the target Koel instance.
- The attacker crafts an HTTP GET or POST request to Koel's Subsonic endpoint, such as
/rest/createInternetRadioStation.view. - The request includes a
streamUrlparameter pointing to a target internal or private network resource (e.g.,http://172.17.0.1:18090/feed.xml). - Koel's Subsonic endpoint processes the request without applying URL validation checks, storing the malicious
streamUrlas a radio station property. - The attacker resolves the unique identifier (ID) of the newly created or updated radio station.
- The attacker sends an HTTP GET request to the stream endpoint,
/radio/stream/{id}, attempting to play the crafted radio station. - Koel's
RadioStreamProxy::openStream()function initiates a server-side request to thestreamUrlvalue stored in the radio station object. - The full HTTP response body from the internal network resource is returned to the Koel server, which then forwards it to the attacker's client, enabling full-read SSRF.
Impact
The successful exploitation of CVE-2026-54493 allows an authenticated attacker to perform extensive internal network reconnaissance and potentially exfiltrate sensitive data. Attackers can read loopback-only, RFC1918, or Docker-bridge HTTP services, access internal admin panels, metrics services, or metadata endpoints that are not publicly exposed. This full-read Server-Side Request Forgery significantly amplifies the risk compared to blind SSRF, as it grants attackers direct access to the content of internal HTTP responses, thereby exposing sensitive configurations, credentials, or internal application data. The scope of targeted entities includes any internal HTTP service reachable from the Koel server.
Recommendation
- Patch CVE-2026-54493 immediately by upgrading Koel to a version where the Subsonic request validators apply the
SafeUrlandHasAudioContentTyperules to thestreamUrlparameter, as shown in the provided patch forapp/Http/Requests/Subsonic/CreateInternetRadioStationRequest.phpandapp/Http/Requests/Subsonic/UpdateInternetRadioStationRequest.php. - Implement defense-in-depth by ensuring the
RadioStreamProxy::openStream()function performs a safety check on the URL before opening a stream, as suggested in the patch forapp/Services/Radio/RadioStreamProxy.php. - Deploy the Sigma rule "Detect CVE-2026-54493 Exploitation - Koel Subsonic SSRF Attempt" to your SIEM to identify attempts to create or update radio stations with internal IP addresses or hostnames.
- Ensure web server logs (e.g., Apache, Nginx access logs) are being collected for the
webserverlogsource category, as they are crucial for detecting the HTTP request patterns targeted by the detection rule.
Detection coverage 1
Detect CVE-2026-54493 Exploitation - Koel Subsonic SSRF Attempt
highDetects CVE-2026-54493 exploitation - attempts to create or update Koel radio stations via Subsonic endpoints with internal IP addresses or hostnames in the streamUrl parameter, indicating an SSRF attempt.
Detection queries are available on the platform. Get full rules →