CVE-2026-26379
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Koha Library Software

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: MITRE

Description
Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-22
NVD
CVE-2026-26379
EUVD
EUVD-2026-34170
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
koha koha to 25.11.00 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the vulnerability CVE-2026-26379, immediate steps include restricting access to the Koha administration interface to trusted users only, as exploitation requires administrative access.

Additionally, review and validate all Z39.50/SRU server configurations to ensure no unauthorized or malicious entries exist that could be used to perform Server-Side Request Forgery (SSRF) attacks.

Monitoring internal network services for unusual access patterns and applying network-level restrictions to limit Koha server outbound connections to trusted services can also help reduce risk.

Executive Summary

CVE-2026-26379 is a Server-Side Request Forgery (SSRF) vulnerability in Koha library software versions up to and including 25.11. It allows a remote attacker with access to the Koha administration interface to manipulate the Z39.50 configuration module by creating a crafted server entry. This forces the application to make unauthorized requests to internal network services, potentially revealing information about internal services or enabling further exploitation.

Impact Analysis

This vulnerability can impact you by allowing an attacker to probe internal network services that are normally inaccessible from outside. By exploiting the SSRF flaw, an attacker can discover open ports and services within your internal network, which may lead to further attacks or unauthorized access to sensitive information.

Detection Guidance

This vulnerability can be detected by checking if the Koha administration interface allows the creation of a Z39.50 server entry with a crafted hostname or IP address pointing to internal services. By triggering a search via a specific URL path, the application attempts to connect to the specified internal service.

If the internal service responds or times out, it indicates the presence of an internal service on that port; if the connection fails, the port is likely closed.

Since the exploit requires access to the Koha administration interface, detection involves verifying if unauthorized users can create or manipulate Z39.50 server entries.

No specific command-line commands are provided, but monitoring access logs for unusual Z39.50 configuration changes or attempts to access the Z39.50 configuration module URL paths could help detect exploitation attempts.

Compliance Impact

The provided information does not specify how CVE-2026-26379 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart