CVE-2026-40089
Published: 09 April 2026
Summary
CVE-2026-40089 is a critical-severity SSRF (CWE-918) vulnerability in Sonicverse Radio Audio Streaming Stack. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-40089 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Sonicverse Radio Audio Streaming Stack dashboard, specifically in its API client located at apps/dashboard/lib/api.ts. Sonicverse is a self-hosted Docker Compose stack for live radio streaming. The issue impacts installations created using the provided install.sh script, including those deployed via the one-liner command bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack). In these setups, the dashboard accepts user-controlled URLs and forwards them directly to a server-side HTTP client without adequate validation, earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
An authenticated operator with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious URL, the attacker can compel the dashboard backend to issue arbitrary HTTP requests to internal or external systems, potentially enabling access to sensitive internal resources, data exfiltration, or interactions with unintended services from the server's trusted context.
The GitHub security advisory at https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48 details the fix, implemented in commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4, which security practitioners should apply to vulnerable installations by updating the affected repository.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21065
Vulnerability details
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one‑liner…
more
bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SSRF vulnerability in the accessible web dashboard API directly enables exploitation of a public-facing application by allowing authenticated attackers to supply malicious URLs that force the server to make arbitrary HTTP requests to internal/external resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information Input Validation directly mitigates SSRF by requiring validation and sanitization of user-controlled URLs before passing them to the server-side HTTP client in the dashboard API.
Boundary Protection monitors and controls communications at external and key internal interfaces, blocking unauthorized outbound HTTP requests triggered by the SSRF vulnerability.
Flaw Remediation ensures timely identification, reporting, and patching of the specific SSRF vulnerability fixed in commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4.