CVE-2026-40089: SSRF in Sonicverse Radio Audio Streaming Stack
Platform
nodejs
Component
sonicverse-eu/audiostreaming-stack
Fixed in
1.0.1
CVE-2026-40089 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Sonicverse Radio Audio Streaming Stack dashboard. This flaw allows an authenticated operator to craft malicious requests, potentially leading to unauthorized access to internal resources and data exposure. The vulnerability impacts installations created using the provided install.sh script, specifically those using the one-liner bash command. The fix involves upgrading to version cb1ddbacafcb441549fe87d3eeabdb6a085325e4.
Impact and Attack Scenarios
The SSRF vulnerability in Sonicverse allows an authenticated operator to make arbitrary HTTP requests on behalf of the Sonicverse server. This means an attacker could potentially scan internal networks for exposed services, access sensitive data stored behind firewalls, or even interact with internal APIs without proper authorization. For example, an attacker could attempt to access internal databases, configuration files, or other critical systems. The blast radius extends to any internal resources accessible via HTTP or HTTPS. This vulnerability is particularly concerning because it requires only authentication, making it relatively easy to exploit if an attacker gains access to a valid operator account.
Exploitation Context
CVE-2026-40089 was publicly disclosed on 2026-04-09. The vulnerability is present in installations created using the provided install.sh script. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Threat Intelligence
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-40089 is to upgrade the Sonicverse Radio Audio Streaming Stack to version cb1ddbacafcb441549fe87d3eeabdb6a085325e4 or later. If an immediate upgrade is not possible, consider implementing temporary workarounds such as restricting outbound network access from the Sonicverse server using a firewall or proxy. Additionally, carefully review and restrict the permissions granted to operator accounts to minimize the potential impact of a compromised account. After the upgrade, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL; the request should be blocked or rejected.
How to fix
Update to the patched version cb1ddbacafcb441549fe87d3eeabdb6a085325e4 or higher. This involves updating the Docker Compose stack to the latest version available in the sonicverse-eu/audiostreaming-stack repository. Refer to the official documentation for detailed upgrade instructions.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-40089 — SSRF in Sonicverse Radio Audio Streaming Stack?
CVE-2026-40089 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Sonicverse Radio Audio Streaming Stack dashboard, allowing authenticated operators to make arbitrary HTTP requests.
Am I affected by CVE-2026-40089 in Sonicverse Radio Audio Streaming Stack?
You are affected if you are using Sonicverse Radio Audio Streaming Stack versions less than or equal to cb1ddbacafcb441549fe87d3eeabdb6a085325e4 and have deployed using the provided install.sh script.
How do I fix CVE-2026-40089 in Sonicverse Radio Audio Streaming Stack?
Upgrade Sonicverse Radio Audio Streaming Stack to version cb1ddbacafcb441549fe87d3eeabdb6a085325e4 or later. Consider temporary workarounds like firewall restrictions if immediate upgrade is not possible.
Is CVE-2026-40089 being actively exploited?
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Where can I find the official Sonicverse advisory for CVE-2026-40089?
Refer to the official Sonicverse project repository and documentation for the latest advisory and security updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.