Cyber Resilience

CVE-2026-40089

CriticalUpdated

Published: 09 April 2026

Published
09 April 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0023 13.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40089 is a critical-severity SSRF (CWE-918) vulnerability in Sonicverse Radio Audio Streaming Stack. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-40089 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Sonicverse Radio Audio Streaming Stack dashboard, specifically in its API client located at apps/dashboard/lib/api.ts. Sonicverse is a self-hosted Docker Compose stack for live radio streaming. The issue impacts installations created using the provided install.sh script, including those deployed via the one-liner command bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack). In these setups, the dashboard accepts user-controlled URLs and forwards them directly to a server-side HTTP client without adequate validation, earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).

An authenticated operator with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious URL, the attacker can compel the dashboard backend to issue arbitrary HTTP requests to internal or external systems, potentially enabling access to sensitive internal resources, data exfiltration, or interactions with unintended services from the server's trusted context.

The GitHub security advisory at https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48 details the fix, implemented in commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4, which security practitioners should apply to vulnerable installations by updating the affected repository.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one‑liner…

more

bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SSRF vulnerability in the accessible web dashboard API directly enables exploitation of a public-facing application by allowing authenticated attackers to supply malicious URLs that force the server to make arbitrary HTTP requests to internal/external resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918
CVE-2026-7025Shared CWE-918
CVE-2025-2691Shared CWE-918
CVE-2025-21385Shared CWE-918
CVE-2026-6625Shared CWE-918
CVE-2026-30118Shared CWE-918

Affected Assets

sonicverse
radio audio streaming stack
≤ 1.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Input Validation directly mitigates SSRF by requiring validation and sanitization of user-controlled URLs before passing them to the server-side HTTP client in the dashboard API.

prevent

Boundary Protection monitors and controls communications at external and key internal interfaces, blocking unauthorized outbound HTTP requests triggered by the SSRF vulnerability.

prevent

Flaw Remediation ensures timely identification, reporting, and patching of the specific SSRF vulnerability fixed in commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4.

References