CVE-2026-50888
Description
Authenticated SSRF in Koillection v1.8.0 custom scraper allows low-privileged users to scan internal HTTP resources via crafted URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SSRF in Koillection v1.8.0 custom scraper allows low-privileged users to scan internal HTTP resources via crafted URLs.
Vulnerability
Koillection v1.8.0 suffers from an authenticated Server-Side Request Forgery (SSRF) in its custom scraper subsystem. The endpoints /scrapers/item-scrapers/scrap, /scrapers/collection-scrapers/scrap, and /scrapers/wish-scrapers/scrap accept user-defined url fields without validating whether the target is an internal or external address. The scraper feature is enabled by default for authenticated users with ROLE_USER privileges. An attacker can supply a malicious URL targeting internal HTTP services, and the server will fetch that URL, apply user-defined extraction rules (XPath or path selectors), and return the extracted content in the JSON response [1].
Exploitation
An attacker must possess a valid Koillection account with ROLE_USER and the scraping feature enabled (default). The attacker creates a scraper definition with a data path (e.g., //title or //body) and optionally custom headers. A POST request is sent to one of the scraper endpoints with the url field set to an internal HTTP service (e.g., http://metadata.google.internal) and the scraper field pointing to the user-owned scraper ID. The server then makes an outbound request to the internal target, processes the response through the extraction rules, and returns the extracted data to the attacker [1].
Impact
A low-privileged authenticated user can achieve SSRF with response disclosure. The attacker can probe internal services, read response content (including sensitive data), and map internal network topology. The impact is information disclosure and potential further internal reconnaissance, depending on the reachable services [1].
Mitigation
As of the reference publication date (June 15, 2026), no official patch or workaround has been disclosed for Koillection v1.8.0. Users should consider disabling the scraping feature or restricting endpoint access via a reverse proxy until a fix is released. The vulnerability is not known to be listed in CISA KEV as of the publication date [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.8.0
- Range: =1.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation (allowlist/internal-address block) on the user-supplied scraper target URL allows the server to fetch arbitrary internal HTTP resources."
Attack vector
An authenticated ROLE_USER first creates a scraper definition with a data path (e.g., //title or //body) and optional custom headers. They then POST to one of the three scrap endpoints, setting the url field to an internal HTTP service and the scraper field to the user-owned scraper id. The Koillection server fetches the internal target, applies the extraction rules, and returns extracted content in the JSON response, achieving SSRF with response disclosure [CWE-918] [ref_id=1].
Affected code
The vulnerability lies in the custom scraper subsystem of Koillection 1.8.0, specifically the endpoints /scrapers/item-scrapers/scrap, /scrapers/collection-scrapers/scrap, and /scrapers/wish-scrapers/scrap. The scraper service sends an outbound request to a user-supplied url without enforcing a target allowlist or blocking internal addresses [ref_id=1].
What the fix does
The advisory states that the missing boundary is a target allowlist or internal-address block before the server-side fetch [ref_id=1]. No patch is published in the bundle. To remediate, the application must validate that the submitted url does not resolve to an internal/private IP and should enforce an allowlist of permitted external targets before performing the server-side HTTP request.
Preconditions
- authAuthenticated as a regular ROLE_USER with the scraping feature enabled (enabled by default in 1.8.0).
- networkThe Koillection server must have network access to the internal target the attacker wishes to scan.
- inputAttacker must create a scraper definition containing XPath/path extraction rules and optional custom headers.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.