Is Docker affected by EUVD-2026-21065?

CVE-2026-40089 is a critical server-side request forgery (SSRF) vulnerability in Sonicverse Radio's dashboard API that allows authenticated operators to bypass network boundaries and access internal services, cloud metadata, or pivot to restricted segments.

EUVD-2026-21065

Q: How to fix EUVD-2026-21065?

Within 24 hours: Identify all Sonicverse Radio deployments using Docker Compose with the standard install.sh script and restrict network access to the dashboard API to trusted operators only via firewall/WAF rules. Within 7 days: Implement compensating controls-isolate affected Docker containers from access to internal services, cloud metadata endpoints (169.254.169.254), and inter-service communication; audit logs for suspicious HTTP requests originating from dashboard API. Within 30 days: Monitor Sonicverse Radio vendor advisories for patch release; prepare upgrade plan to patched version immediately upon availability; consider alternative audio streaming solutions if patch timeline becomes unacceptable for your risk tolerance.

| CVE-2026-40089 CRITICAL

2026-04-09 GitHub_M

9.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 20:15 euvd

EUVD-2026-21065

Analysis Generated

Apr 09, 2026 - 20:15 vuln.today

CVE Published

Apr 09, 2026 - 19:43 nvd

CRITICAL 9.9

Description

Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one‑liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4.

Analysis

Server-Side Request Forgery in Sonicverse Radio Audio Streaming Stack dashboard API client allows authenticated operators to perform arbitrary HTTP requests from the backend server to internal or external targets. Affects Docker Compose deployments installed via the provided install.sh script, including one-liner installations. …

Remediation

Within 24 hours: Identify all Sonicverse Radio deployments using Docker Compose with the standard install.sh script and restrict network access to the dashboard API to trusted operators only via firewall/WAF rules. Within 7 days: Implement compensating controls-isolate affected Docker containers from access to internal services, cloud metadata endpoints (169.254.169.254), and inter-service communication; audit logs for suspicious HTTP requests originating from dashboard API. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +50

POC: 0

EUVD-2026-21065 vulnerability details – vuln.today

Back

EUVD-2026-21065

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-21065

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code