{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/subsonic/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Koel (\u003c= 9.6.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","web-application","vulnerability","koel","subsonic"],"_cs_type":"advisory","_cs_vendors":["phanan"],"content_html":"\u003cp\u003eA critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-54493, has been discovered in Koel versions up to and including v9.6.0. This flaw affects the Subsonic-compatible radio endpoints, specifically \u003ccode\u003ecreateInternetRadioStation.view\u003c/code\u003e and \u003ccode\u003eupdateInternetRadioStation.view\u003c/code\u003e, which do not enforce the same URL validation as the regular web API. An authenticated attacker can exploit this by crafting a request to these endpoints, supplying a malicious \u003ccode\u003estreamUrl\u003c/code\u003e parameter pointing to an internal or private network resource. When the created or updated radio station is subsequently played, the Koel server initiates a server-side request to the attacker-controlled URL. Unlike blind SSRF, this vulnerability allows the attacker to receive the full response body from the internal resource, facilitating internal HTTP reconnaissance, access to sensitive internal HTTP services, and potential data exfiltration from the server's network. The issue was validated against \u003ccode\u003ephanan/koel:9.6.0\u003c/code\u003e image.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker obtains valid API and Subsonic API keys for the target Koel instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET or POST request to Koel's Subsonic endpoint, such as \u003ccode\u003e/rest/createInternetRadioStation.view\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003estreamUrl\u003c/code\u003e parameter pointing to a target internal or private network resource (e.g., \u003ccode\u003ehttp://172.17.0.1:18090/feed.xml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eKoel's Subsonic endpoint processes the request without applying URL validation checks, storing the malicious \u003ccode\u003estreamUrl\u003c/code\u003e as a radio station property.\u003c/li\u003e\n\u003cli\u003eThe attacker resolves the unique identifier (ID) of the newly created or updated radio station.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the stream endpoint, \u003ccode\u003e/radio/stream/{id}\u003c/code\u003e, attempting to play the crafted radio station.\u003c/li\u003e\n\u003cli\u003eKoel's \u003ccode\u003eRadioStreamProxy::openStream()\u003c/code\u003e function initiates a server-side request to the \u003ccode\u003estreamUrl\u003c/code\u003e value stored in the radio station object.\u003c/li\u003e\n\u003cli\u003eThe full HTTP response body from the internal network resource is returned to the Koel server, which then forwards it to the attacker's client, enabling full-read SSRF.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-54493 allows an authenticated attacker to perform extensive internal network reconnaissance and potentially exfiltrate sensitive data. Attackers can read loopback-only, RFC1918, or Docker-bridge HTTP services, access internal admin panels, metrics services, or metadata endpoints that are not publicly exposed. This full-read Server-Side Request Forgery significantly amplifies the risk compared to blind SSRF, as it grants attackers direct access to the content of internal HTTP responses, thereby exposing sensitive configurations, credentials, or internal application data. The scope of targeted entities includes any internal HTTP service reachable from the Koel server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54493 immediately by upgrading Koel to a version where the Subsonic request validators apply the \u003ccode\u003eSafeUrl\u003c/code\u003e and \u003ccode\u003eHasAudioContentType\u003c/code\u003e rules to the \u003ccode\u003estreamUrl\u003c/code\u003e parameter, as shown in the provided patch for \u003ccode\u003eapp/Http/Requests/Subsonic/CreateInternetRadioStationRequest.php\u003c/code\u003e and \u003ccode\u003eapp/Http/Requests/Subsonic/UpdateInternetRadioStationRequest.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement defense-in-depth by ensuring the \u003ccode\u003eRadioStreamProxy::openStream()\u003c/code\u003e function performs a safety check on the URL before opening a stream, as suggested in the patch for \u003ccode\u003eapp/Services/Radio/RadioStreamProxy.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-54493 Exploitation - Koel Subsonic SSRF Attempt\u0026quot; to your SIEM to identify attempts to create or update radio stations with internal IP addresses or hostnames.\u003c/li\u003e\n\u003cli\u003eEnsure web server logs (e.g., Apache, Nginx access logs) are being collected for the \u003ccode\u003ewebserver\u003c/code\u003e logsource category, as they are crucial for detecting the HTTP request patterns targeted by the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T17:15:15Z","date_published":"2026-07-15T17:15:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-koel-ssrf/","summary":"An authenticated user can exploit a Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-54493, in Koel v9.6.0 via the Subsonic-compatible radio endpoints, which lack proper URL validation, allowing the server to fetch and return the body of internal network resources.","title":"Koel Authenticated Full-Read SSRF via Subsonic Internet Radio Stations","url":"https://feed.craftedsignal.io/briefs/2026-07-koel-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Subsonic","version":"https://jsonfeed.org/version/1.1"}