How is CVE-2026-50888 exploited?

Network reachability (required): The attacker must reach the Koillection service over the network; the component is network-exposed by design. Authentication (required): Any low-privilege account is sufficient; no administrative or elevated credentials are needed. Victim interaction (not-required): No user action or social engineering is needed; the attacker submits a crafted URL directly to the scraper endpoint. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or specific memory layout is required.

What is the impact of CVE-2026-50888?

The attacker can force the server to issue HTTP requests to arbitrary internal addresses, effectively using the Koillection host as a proxy to map internal network topology and enumerate live services. Internal services that trust inbound requests from the application host (such as metadata APIs, internal dashboards, or unauthenticated microservices) can have their data read or their state modified. Sensitive credentials, tokens, or configuration data served by internal endpoints (for example, cloud instance metadata at 169.254.169.254) are readable by the attacker through the SSRF responses. Data integrity of internal services that accept write operations over HTTP is at risk, as the attacker can craft URLs that trigger state-changing requests on those services.

Back to search

HIGHCVE-2026-50888Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50888: An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1

An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Server-Side Request Forgery (SSRF) is present in the custom scraper subsystem of Koillection v1.8.0. The vulnerability is reachable over the network by any authenticated user with a low-privilege account, requiring no victim interaction. A successful attacker can make the server issue arbitrary HTTP requests to internal network resources, exposing sensitive internal data and enabling modification of internal services that accept unauthenticated inbound requests. HarborGuard is tracking the advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50888 is available across all HarborGuard environments, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion. Custom-built images that bundle Koillection v1.8.0 are included in this matching sweep.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each customer organization's compliance policy to prioritize routing. Findings are directed to the appropriate team inbox within each customer environment based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations described below.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Koillection service over the network; the component is network-exposed by design.
AuthenticationRequired
Any low-privilege account is sufficient; no administrative or elevated credentials are needed.
Victim interactionNot required
No user action or social engineering is needed; the attacker submits a crafted URL directly to the scraper endpoint.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or specific memory layout is required.

Blast Radius

The attacker can force the server to issue HTTP requests to arbitrary internal addresses, effectively using the Koillection host as a proxy to map internal network topology and enumerate live services.
Internal services that trust inbound requests from the application host (such as metadata APIs, internal dashboards, or unauthenticated microservices) can have their data read or their state modified.
Sensitive credentials, tokens, or configuration data served by internal endpoints (for example, cloud instance metadata at 169.254.169.254) are readable by the attacker through the SSRF responses.
Data integrity of internal services that accept write operations over HTTP is at risk, as the attacker can craft URLs that trigger state-changing requests on those services.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-50888 is flagged on every image found to include Koillection v1.8.0, scored at CVSS 8.1 HIGH, and routed per each organization's compliance policy. Because no upstream patch exists, a rebuilt image cannot yet be generated; HarborGuard monitors the advisory on every ingest cycle and will surface a patched rebuild the moment Benjamin Jonard Koillection publishes a fix. While waiting for an upstream fix, customers can apply compensating controls: use HarborGuard's network-policy isolation tooling to restrict egress from containers running Koillection to only the external hosts the scraper legitimately needs to reach; apply egress filtering to block requests to RFC 1918 addresses and cloud metadata ranges; and consider feature-flag gating or WAF rules that validate or allowlist scraper URL inputs at the application boundary. These measures reduce the exploitable surface without requiring a code-level fix.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

gist.github.com

Metrics

Get notified