MEDIUM 6.5

CVE-2026-26379: Koha SSRF in Z39.50/SRU Configuration

Koha, an open-source library management system, contains a Server-Side Request Forgery (SSRF) vulnerability in its Z39.50/SRU server configuration. An authenticated attacker can exploit this flaw to scan the internal network and discover which services are running by measuring how the server responds to requests. This vulnerability affects Koha versions up to and including 25.11.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-918
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input validation in the Z39.50/SRU server configuration subsystem. Authenticated users can craft malicious requests that cause the Koha server to initiate connections to arbitrary internal network addresses. By analyzing response timing and error messages, attackers can infer the presence and state of internal services without direct network access. The flaw is classified under CWE-918 (Server-Side Request Forgery), a well-understood class of network-layer privilege escalation.

Business impact

For library organizations and educational institutions running Koha, this vulnerability presents a reconnaissance risk. An attacker with valid credentials—potentially a staff member or compromised account—can map internal infrastructure to identify systems worth targeting in a follow-up attack. This information disclosure could facilitate lateral movement or downstream compromise of databases, authentication systems, or other critical library services. Organizations relying on network segmentation for defense are particularly exposed.

Affected systems

Koha versions 25.11 and earlier are vulnerable. Organizations should inventory Koha deployments and verify their installed version. The vulnerability requires authentication, so it is limited to users with legitimate system access; however, in shared library environments or institutions with relaxed access controls, the attacker pool may be larger than expected.

Exploitability

Exploitation requires valid authentication credentials and network access to the Koha server. The attack itself is straightforward—no complex interaction or user confusion is needed—making it trivial for any authenticated user to execute once they understand the Z39.50/SRU configuration interface. The CVSS vector reflects this accessibility: network-based (AV:N), low complexity (AC:L), no user interaction required (UI:N), and no privilege escalation needed (PR:N). However, the requirement for prior authentication significantly limits the practical threat landscape.

Remediation

Upgrade Koha to a patched version that addresses the Z39.50/SRU configuration validation. Verify against the official Koha security advisory for the specific minimum version. Until patching is possible, restrict Z39.50/SRU configuration access to trusted administrative accounts and consider disabling these features if they are not actively used. Implement network segmentation to limit the internal addresses an SSRF payload could reach.

Patch guidance

Check the official Koha project repository and security advisories for version 26.0 or later, which should include the remediation. Apply patches during a scheduled maintenance window, as Koha updates may require downtime for dependent library systems. Test the patched version in a non-production environment first to ensure compatibility with existing Z39.50/SRU client integrations.

Detection guidance

Monitor Z39.50/SRU server logs for unusual connection requests, especially those targeting internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1). Look for patterns of rapid requests with varying timeouts or error codes, which may indicate timing-based network reconnaissance. Correlate access logs with staff members' roles to identify credential misuse. Network intrusion detection systems should flag outbound connection attempts from the Koha server to private IP space that deviate from normal library service behavior.

Why prioritize this

This vulnerability merits prompt but not emergency remediation. The CVSS score of 6.5 (MEDIUM) reflects the balance between ease of exploitation and the requirement for prior authentication. It is not a wormable remote code execution vulnerability, nor has it been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, it directly enables reconnaissance for follow-on attacks and could be chained with other vulnerabilities. Organizations with strict network segmentation and access controls may deprioritize slightly; those with permissive internal networks or high staff turnover should accelerate patching.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) network-accessible attack vector with no authentication required from a network perspective, but (2) the practical requirement for valid Koha user credentials, which reduces real-world impact; (3) low attack complexity—no special conditions or user interaction—making it trivial to execute; (4) confidentiality impact through information disclosure of internal service state; (5) integrity impact potential if reconnaissance leads to targeted secondary attacks; (6) no direct availability impact from the SSRF itself. The score does not account for chaining with other flaws or the organizational context of library infrastructure criticality.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires valid credentials to access the Koha Z39.50/SRU configuration interface. This significantly limits the practical threat surface to staff members, service accounts, or credentials obtained through separate compromise.

Does this vulnerability allow remote code execution?

No. The SSRF enables network reconnaissance and internal service discovery through timing analysis. It does not directly permit code execution; however, it can be a stepping stone to identify and target other vulnerable services on the internal network.

What is the difference between Z39.50 and SRU, and do both carry the same risk?

Z39.50 and SRU are both library protocols for searching distributed catalogues. The vulnerability affects the server configuration for both, as they share the same validation logic in Koha. Both should be patched.

If we have network segmentation in place, do we still need to patch?

Network segmentation significantly reduces risk by limiting what an attacker can discover internally. However, patching remains the correct defense. Segmentation can fail, credentials can be misused across trust boundaries, and defense-in-depth principles favor removing the flaw at source.

This analysis is provided for educational and defensive security purposes only. The information is based on publicly disclosed details as of the publication date. Verify all patch versions, compatibility notes, and vendor guidance against official Koha security advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of remediation steps; organizations should conduct their own risk assessment and testing. Do not use this information to launch unauthorized attacks or network reconnaissance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).