CVE-2026-26379
Description
Koha versions 25.11 and earlier are vulnerable to SSRF in the Z39.50 configuration module, allowing remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Koha versions 25.11 and earlier are vulnerable to SSRF in the Z39.50 configuration module, allowing remote code execution.
Vulnerability
Koha versions 25.11 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability within the Z39.50 configuration module. This vulnerability allows an attacker to make the server send requests to arbitrary internal or external resources.
Exploitation
An attacker can exploit this vulnerability by first navigating to Koha Administration -> Z39.50/SRU servers and adding a new Z39.50 server. The attacker must then provide a malicious hostname and port in the server configuration. Subsequently, by initiating a search through the Z39.50 server interface, the attacker can trigger the SSRF vulnerability, causing the Koha server to send a request to the specified internal resource. This requires the attacker to have access to the Koha interface to configure the Z39.50 server and initiate the search [3].
Impact
Successful exploitation of this SSRF vulnerability can lead to arbitrary code execution. By tricking the Koha server into connecting to an internal service, an attacker can potentially interact with internal applications or services that are not directly exposed to the internet. This could lead to further compromise of internal systems or sensitive data disclosure, depending on the nature of the internal service [3].
Mitigation
Koha versions 25.11 and earlier are affected. A fix for this vulnerability is available in later versions of Koha. Users are strongly advised to update to a patched version as soon as possible. No specific workaround is mentioned in the available references, and the vulnerability is described as a 0-day at the time of disclosure [3].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Z39.50 configuration module does not properly sanitize user-supplied input when constructing network requests, allowing for arbitrary code execution."
Attack vector
An attacker can exploit this vulnerability by configuring a malicious Z39.50 server within the Koha application. This involves navigating to Koha Administration -> Z39.50/SRU servers and adding a new server with specially crafted input. Subsequently, the attacker triggers a search operation using the compromised server configuration, leading to arbitrary code execution on the server. [ref_id=2]
Affected code
The vulnerability resides within the Z39.50 configuration module of Koha. Specifically, the `z3950_search.pl` script is involved in processing user input for Z39.50 server configurations, which can be manipulated to achieve arbitrary code execution. [ref_id=2]
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. It is recommended to consult the Koha community for remediation guidance or updated versions. The vulnerability is described as SSRF in Koha version <= 25.11. [ref_id=2]
Preconditions
- configThe Z39.50/SRU servers module must be accessible and configurable by the user.
- inputThe attacker must be able to provide malicious input when configuring a Z39.50 server.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.