CVE-2026-26379
Remote Code Execution in Koha Library Software
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| koha | koha | to 25.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-26379, immediate steps include restricting access to the Koha administration interface to trusted users only, as exploitation requires administrative access.
Additionally, review and validate all Z39.50/SRU server configurations to ensure no unauthorized or malicious entries exist that could be used to perform Server-Side Request Forgery (SSRF) attacks.
Monitoring internal network services for unusual access patterns and applying network-level restrictions to limit Koha server outbound connections to trusted services can also help reduce risk.
Can you explain this vulnerability to me?
CVE-2026-26379 is a Server-Side Request Forgery (SSRF) vulnerability in Koha library software versions up to and including 25.11. It allows a remote attacker with access to the Koha administration interface to manipulate the Z39.50 configuration module by creating a crafted server entry. This forces the application to make unauthorized requests to internal network services, potentially revealing information about internal services or enabling further exploitation.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to probe internal network services that are normally inaccessible from outside. By exploiting the SSRF flaw, an attacker can discover open ports and services within your internal network, which may lead to further attacks or unauthorized access to sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Koha administration interface allows the creation of a Z39.50 server entry with a crafted hostname or IP address pointing to internal services. By triggering a search via a specific URL path, the application attempts to connect to the specified internal service.
If the internal service responds or times out, it indicates the presence of an internal service on that port; if the connection fails, the port is likely closed.
Since the exploit requires access to the Koha administration interface, detection involves verifying if unauthorized users can create or manipulate Z39.50 server entries.
No specific command-line commands are provided, but monitoring access logs for unusual Z39.50 configuration changes or attempts to access the Z39.50 configuration module URL paths could help detect exploitation attempts.