CVE-2026-40089
Sonicverse · Sonicverse Radio Audio Streaming Stack
A Server-Side Request Forgery (SSRF) vulnerability in the Sonicverse Radio dashboard allows authenticated operators to perform arbitrary HTTP requests to internal or external systems.
Executive summary
An SSRF vulnerability in the Sonicverse Radio streaming dashboard enables authenticated attackers to perform unauthorized requests against internal and external infrastructure.
Vulnerability
The dashboard API client lacks sufficient validation when processing user-controlled URLs, leading to a Server-Side Request Forgery (SSRF) vulnerability. An authenticated operator can abuse this flaw to force the backend to make arbitrary HTTP requests to internal network resources or external systems.
Business impact
SSRF vulnerabilities are frequently used to bypass network perimeters, scan internal infrastructure, or interact with cloud metadata services. With a CVSS score of 9.9, the potential for lateral movement and unauthorized access to sensitive internal services is extreme, posing a significant risk to the integrity and confidentiality of the host network.
Remediation
Immediate Action: Apply the fix provided in commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4 or update to the latest available version provided by the project maintainers.
Proactive Monitoring: Review application logs for anomalous API requests and monitor network traffic for unexpected internal scans originating from the streaming stack dashboard.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block suspicious URL parameters or requests directed at internal IP ranges from the dashboard application.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the exceptionally high CVSS score, this vulnerability should be treated as a priority. Administrators must immediately apply the code-level fix and restrict access to the dashboard to trusted users only to mitigate the risk of internal network reconnaissance and exploitation.