starred/koel-koel

Fork 0

mirror of https://github.com/koel/koel.git synced 2026-04-26 01:06:00 +03:00

[GH-ISSUE #2134] [Bug]: Unexpected user accounts auto-created with registration disabled (Koel v7.15.1, Postgres) #1097

New issue

Open

opened 2026-02-26 02:35:13 +03:00 by kerem · 7 comments

kerem commented

2026-02-26 02:35:13 +03:00

Owner

Originally created by @volcs0 on GitHub (Oct 9, 2025).
Original GitHub issue: https://github.com/koel/koel/issues/2134

Originally assigned to: @phanan on GitHub.

Read the Troubleshooting guide.

I have read and followed the Troubleshooting guide

Reproduction steps

Summary

Koel is creating multiple user accounts automatically without any registration requests from clients. Registration is disabled. All accounts were created within the same second and look like Faker/test data.

Environment

Koel image: phanan/koel:latest (docker history shows KOEL_VERSION_REF=v7.15.1)

Database: Postgres 13 (separate container, volume-backed)

Compose (relevant bits):

services:
  koel:
    image: phanan/koel
    depends_on: [database]
    ports:
      - "8082:80"
    volumes:
      - /mnt/jmicron/Music:/music
      - ./image_storage:/var/www/html/public/img/storage
      - ./search_index:/var/www/html/storage/search-indexes
      - ./.env:/var/www/html/.env
  database:
    image: postgres:13
    volumes:
      - ./db:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=koel
      - POSTGRES_USER=koel
      - POSTGRES_PASSWORD=********

Koel .env inside container (sanitized):

APP_ENV=production
APP_DEBUG=false
APP_URL=http://192.168.2.200:8082
ALLOW_REGISTRATION=false
SESSION_DRIVER=file
DB_CONNECTION=pgsql
DB_HOST=database
DB_DATABASE=koel
DB_USERNAME=koel

Network/exposure: Koel is only bound to LAN and accessed via Cloudflare WARP (private routing). No public hostname or reverse proxy to this instance. iptables DOCKER-USER chain drops unsolicited traffic; LAN, Tailscale, and docker bridge are explicitly allowed.

What happened

At 2025-10-09 10:48:52–53 (UTC) five users were inserted into users.

Emails look like autogenerated test data (e.g. meta.berge@gleichner.com, macejkovic.lee@heaney.biz, talon48@metz.com, etc.).

invited_by_id is NULL; no SSO fields set.

No corresponding HTTP POSTs to /register, /api/users, or similar in Apache/Laravel logs at that time.

Expected behavior

What I expected

With ALLOW_REGISTRATION=false and no public exposure, I would not expect any new users to be created unless I explicitly invite or create them as admin.

Actual behavior

Evidence

SQL (run inside the Postgres container):

-- Last 50 users:
SELECT id, email, created_at, invited_by_id, sso_provider, sso_id
FROM users
ORDER BY created_at DESC
LIMIT 50;

Example result (sanitized):

id | email                        | created_at           | invited_by_id | sso_provider | sso_id
----+------------------------------+----------------------+---------------+--------------+-------
36 | damion44@pagac.com           | 2025-10-09 10:48:53  |               |              |
35 | mrohan@leffler.com           | 2025-10-09 10:48:52  |               |              |
34 | talon48@metz.com             | 2025-10-09 10:48:52  |               |              |
33 | macejkovic.lee@heaney.biz    | 2025-10-09 10:48:52  |               |              |
32 | meta.berge@gleichner.com     | 2025-10-09 10:48:52  |               |              |
 1 | admin@koel.dev               | 2025-09-28 16:02:30  |               |              |

Logs

Web server/app logs around that time:

No POSTs to any registration or user-creation endpoints.

Only periodic healthchecks (GET /sw.js) and normal GETs while I was browsing the UI later.

Example filtered log snippets:

# search for register/signup/user creation endpoints (last 48h)
docker logs --since=48h koel-koel-1 | grep -iE 'register|/api/users|signup|invite' | tail -n 200
# => no POSTs at the creation timestamp

Entrypoint & seeds:

Container entrypoint is very short and doesn’t run seeds:

# /usr/local/bin/koel-entrypoint
cd /var/www/html
docker-php-entrypoint "$@"

Grepping for db:seed, seed, or demo inside the image didn’t show anything obvious.

What I’ve ruled out

External attacker creating accounts: would expect HTTP POSTs and varied timestamps/IPs; there are none.

Public exposure via Cloudflare: this instance has no public hostname; Cloudflare WARP is used only for private routing.

Manual invites: invited_by_id is NULL on all new rows.

Hypothesis / Questions

Is there any scheduled job, migration, or first-run path in v7.15.1 that can create demo/test users or bootstrap accounts (especially with Faker emails)?

Is there a codepath that may create users when ALLOW_REGISTRATION=false (e.g., organization bootstrap, SSO placeholders, or a background sync)?

Could the packaged release tar include compiled assets or a script that triggers user creation on boot?

Temporary mitigations

Set ALLOW_REGISTRATION=false explicitly and confirmed in container.

Removed the bogus users from users.

Network remains private; no public ingress to this Koel instance.

Anything I can add to help?

Happy to run any additional diagnostics you suggest. I can also set up a DB trigger to capture inet_client_addr() / application_name on INSERT INTO users if that helps pinpoint the caller.

Koel version

7.15.1

How did you install Koel?

Official Docker image

Additional information

Originally created by @volcs0 on GitHub (Oct 9, 2025). Original GitHub issue: https://github.com/koel/koel/issues/2134 Originally assigned to: @phanan on GitHub. ### Read the Troubleshooting guide. - [x] I have read and followed the Troubleshooting guide ### Reproduction steps Summary Koel is creating multiple user accounts automatically without any registration requests from clients. Registration is disabled. All accounts were created within the same second and look like Faker/test data. Environment Koel image: phanan/koel:latest (docker history shows KOEL_VERSION_REF=v7.15.1) Database: Postgres 13 (separate container, volume-backed) Compose (relevant bits): ``` services: koel: image: phanan/koel depends_on: [database] ports: - "8082:80" volumes: - /mnt/jmicron/Music:/music - ./image_storage:/var/www/html/public/img/storage - ./search_index:/var/www/html/storage/search-indexes - ./.env:/var/www/html/.env database: image: postgres:13 volumes: - ./db:/var/lib/postgresql/data environment: - POSTGRES_DB=koel - POSTGRES_USER=koel - POSTGRES_PASSWORD=******** ``` Koel .env inside container (sanitized): ``` APP_ENV=production APP_DEBUG=false APP_URL=http://192.168.2.200:8082 ALLOW_REGISTRATION=false SESSION_DRIVER=file DB_CONNECTION=pgsql DB_HOST=database DB_DATABASE=koel DB_USERNAME=koel ``` Network/exposure: Koel is only bound to LAN and accessed via Cloudflare WARP (private routing). No public hostname or reverse proxy to this instance. iptables DOCKER-USER chain drops unsolicited traffic; LAN, Tailscale, and docker bridge are explicitly allowed. What happened At 2025-10-09 10:48:52–53 (UTC) five users were inserted into users. Emails look like autogenerated test data (e.g. meta.berge@gleichner.com, macejkovic.lee@heaney.biz, talon48@metz.com, etc.). invited_by_id is NULL; no SSO fields set. No corresponding HTTP POSTs to /register, /api/users, or similar in Apache/Laravel logs at that time. ### Expected behavior What I expected With ALLOW_REGISTRATION=false and no public exposure, I would not expect any new users to be created unless I explicitly invite or create them as admin. ### Actual behavior Evidence SQL (run inside the Postgres container): ``` -- Last 50 users: SELECT id, email, created_at, invited_by_id, sso_provider, sso_id FROM users ORDER BY created_at DESC LIMIT 50; ``` Example result (sanitized): ``` id | email | created_at | invited_by_id | sso_provider | sso_id ----+------------------------------+----------------------+---------------+--------------+------- 36 | damion44@pagac.com | 2025-10-09 10:48:53 | | | 35 | mrohan@leffler.com | 2025-10-09 10:48:52 | | | 34 | talon48@metz.com | 2025-10-09 10:48:52 | | | 33 | macejkovic.lee@heaney.biz | 2025-10-09 10:48:52 | | | 32 | meta.berge@gleichner.com | 2025-10-09 10:48:52 | | | 1 | admin@koel.dev | 2025-09-28 16:02:30 | | | ``` ### Logs Web server/app logs around that time: No POSTs to any registration or user-creation endpoints. Only periodic healthchecks (GET /sw.js) and normal GETs while I was browsing the UI later. Example filtered log snippets: ``` # search for register/signup/user creation endpoints (last 48h) docker logs --since=48h koel-koel-1 | grep -iE 'register|/api/users|signup|invite' | tail -n 200 # => no POSTs at the creation timestamp ``` Entrypoint & seeds: Container entrypoint is very short and doesn’t run seeds: ``` # /usr/local/bin/koel-entrypoint cd /var/www/html docker-php-entrypoint "$@" ``` Grepping for db:seed, seed, or demo inside the image didn’t show anything obvious. What I’ve ruled out External attacker creating accounts: would expect HTTP POSTs and varied timestamps/IPs; there are none. Public exposure via Cloudflare: this instance has no public hostname; Cloudflare WARP is used only for private routing. Manual invites: invited_by_id is NULL on all new rows. Hypothesis / Questions Is there any scheduled job, migration, or first-run path in v7.15.1 that can create demo/test users or bootstrap accounts (especially with Faker emails)? Is there a codepath that may create users when ALLOW_REGISTRATION=false (e.g., organization bootstrap, SSO placeholders, or a background sync)? Could the packaged release tar include compiled assets or a script that triggers user creation on boot? Temporary mitigations Set ALLOW_REGISTRATION=false explicitly and confirmed in container. Removed the bogus users from users. Network remains private; no public ingress to this Koel instance. Anything I can add to help? Happy to run any additional diagnostics you suggest. I can also set up a DB trigger to capture inet_client_addr() / application_name on INSERT INTO users if that helps pinpoint the caller. ### Koel version 7.15.1 ### How did you install Koel? Official Docker image ### Additional information

kerem commented

2026-02-26 02:35:13 +03:00

Author

Owner

@phanan commented on GitHub (Oct 9, 2025):

Hmm. First thing first, Koel doesn't have any registration mechanism, so ALLOW_REGISTRATION shouldn't have any effects. I'll take a closer look later.

@phanan commented on GitHub (Oct 9, 2025): Hmm. First thing first, Koel doesn't have any registration mechanism, so ALLOW_REGISTRATION shouldn't have any effects. I'll take a closer look later.

kerem commented

2026-02-26 02:35:13 +03:00

Author

Owner

@LucasLaprad commented on GitHub (Dec 17, 2025):

I too have been experiencing this, an example of the random accounts from this morning are below:

Running 8.1.0 on Rocky Linux hosted behind nginx. This instance is hosted publicly, albeit behind a self hosted MFA portal.

@LucasLaprad commented on GitHub (Dec 17, 2025): I too have been experiencing this, an example of the random accounts from this morning are below: <img width="1076" height="725" alt="Image" src="https://github.com/user-attachments/assets/074949e1-f78e-4a79-9ce5-79198d97b026" /> Running 8.1.0 on Rocky Linux hosted behind nginx. This instance is hosted publicly, albeit behind a self hosted MFA portal.

kerem commented

2026-02-26 02:35:13 +03:00

Author

Owner

@sgnl05 commented on GitHub (Dec 18, 2025):

Same here, two random accounts:

Melisa Sawayn (wyman.dulce@mueller[.]info)
Ilene Hills (waters.lia@yahoo[.]com)

Running 8.1.0 on Ubuntu, hosted behind HAProxy. Instance is exposed to the internet. I'm the only admin and use a randomly generated password containing >30 characters.

@sgnl05 commented on GitHub (Dec 18, 2025): Same here, two random accounts: - Melisa Sawayn (wyman.dulce@mueller[.]info) - Ilene Hills (waters.lia@yahoo[.]com) Running 8.1.0 on Ubuntu, hosted behind HAProxy. Instance is exposed to the internet. I'm the only admin and use a randomly generated password containing >30 characters.

kerem commented

2026-02-26 02:35:13 +03:00

Author

Owner

@sgnl05 commented on GitHub (Dec 18, 2025):

Looks like php artisan koel:doctor triggers creation of a fake account

@sgnl05 commented on GitHub (Dec 18, 2025): Looks like `php artisan koel:doctor` triggers creation of a fake account

kerem commented

2026-02-26 02:35:14 +03:00

Author

Owner

@phanan commented on GitHub (Dec 18, 2025):

Looks like php artisan koel:doctor triggers creation of a fake account

Not that I can reproduce:

~/OSS/koel/koel master ❯ php artisan tinker                                                                                                                     8.3.28
Psy Shell v0.12.13 (PHP 8.3.28 — cli) by Justin Hileman
> User::count()
= 1

> ^C

~/OSS/koel/koel master ❯ php artisan koel:doctor                    1m 18s  8.3.28


                              CHECKING KOEL SETUP...


  Artifacts directory /var/folders/0y/7gvjyq090hd1s2988ys830840000gn/T/koel/ is readable/writable  OK
  Session directory storage/framework/sessions is readable/writable .......... OK
  Cache directory storage/framework/cache is readable/writable ............... OK
  Log directory storage/logs is readable/writable ............................ OK
  Checking database connection ............................................... OK
  Media storage setup (local) ................................................ OK
  TNT search index directory storage/search-indexes is readable/writable ..... OK
  ........

~/OSS/koel/koel master ❯ php artisan tinker                                 8.3.28
Psy Shell v0.12.13 (PHP 8.3.28 — cli) by Justin Hileman
> User::count()
= 1

>

@phanan commented on GitHub (Dec 18, 2025): > Looks like `php artisan koel:doctor` triggers creation of a fake account Not that I can reproduce: ``` ~/OSS/koel/koel master ❯ php artisan tinker  8.3.28 Psy Shell v0.12.13 (PHP 8.3.28 — cli) by Justin Hileman > User::count() = 1 > ^C ~/OSS/koel/koel master ❯ php artisan koel:doctor 1m 18s  8.3.28 CHECKING KOEL SETUP... Artifacts directory /var/folders/0y/7gvjyq090hd1s2988ys830840000gn/T/koel/ is readable/writable OK Session directory storage/framework/sessions is readable/writable .......... OK Cache directory storage/framework/cache is readable/writable ............... OK Log directory storage/logs is readable/writable ............................ OK Checking database connection ............................................... OK Media storage setup (local) ................................................ OK TNT search index directory storage/search-indexes is readable/writable ..... OK ........ ~/OSS/koel/koel master ❯ php artisan tinker  8.3.28 Psy Shell v0.12.13 (PHP 8.3.28 — cli) by Justin Hileman > User::count() = 1 > ```

kerem commented

2026-02-26 02:35:14 +03:00

Author

Owner

@gjermundksat commented on GitHub (Dec 19, 2025):

Any logs I can check for debugging?

Here's my output when I run tinker and koel:doctor:

www-data@2f4fe162785b:~/html$ php artisan tinker
Psy Shell v0.12.13 (PHP 8.4.8 — cli) by Justin Hileman
> User::count()
[!] Aliasing 'User' to 'App\Models\User' for this Tinker session.
= 4

> ^C
www-data@2f4fe162785b:~/html$ php artisan koel:doctor

                                                                                                                                                                                                                     
                                                                                               CHECKING KOEL SETUP...                                                                                                
                                                                                                                                                                                                                     

  Artifacts directory /tmp/koel/ is readable/writable ........................................................................................... OK  
  Session directory storage/framework/sessions is readable/writable ............................................................................. OK  
  Cache directory storage/framework/cache is readable/writable .................................................................................. OK  
  Log directory storage/logs is readable/writable ............................................................................................... OK  
  Checking database connection .................................................................................................................. OK  
  Media storage setup (local) ................................................................................................................... OK  
  TNT search index directory storage/search-indexes is readable/writable ........................................................................ OK  
  API is healthy ................................................................................................................................ OK  
  FFmpeg binary /usr/bin/ffmpeg is executable ................................................................................................... OK  
  PHP extension zip is loaded. Multi-file downloading is supported .............................................................................. OK  
  Max upload size ............................................................................................................................. 800M  
  Max post size ............................................................................................................................... 800M  
  Streaming method ...................................................................................................................... x-sendfile  
  Last.fm integration ........................................................................................................................... OK  
  YouTube integration ................................................................................................................ Not available  
  Spotify integration ........................................................................................................................... OK  
  Mailer configuration ....................................................................................................................... ERROR  
  Koel scheduler status .............................................................................................................. Not installed  
  Koel Plus license status .................................................................................................................. Active  

   ERROR  There are errors in your Koel setup. Koel will not work properly.  

   ERROR  You can find more details in storage/logs/laravel.log.  

www-data@2f4fe162785b:~/html$ php artisan tinker
Psy Shell v0.12.13 (PHP 8.4.8 — cli) by Justin Hileman
> User::count()
[!] Aliasing 'User' to 'App\Models\User' for this Tinker session.
= 6

>

@gjermundksat commented on GitHub (Dec 19, 2025): Any logs I can check for debugging? Here's my output when I run tinker and koel:doctor: ``` www-data@2f4fe162785b:~/html$ php artisan tinker Psy Shell v0.12.13 (PHP 8.4.8 — cli) by Justin Hileman > User::count() [!] Aliasing 'User' to 'App\Models\User' for this Tinker session. = 4 > ^C www-data@2f4fe162785b:~/html$ php artisan koel:doctor CHECKING KOEL SETUP... Artifacts directory /tmp/koel/ is readable/writable ........................................................................................... OK Session directory storage/framework/sessions is readable/writable ............................................................................. OK Cache directory storage/framework/cache is readable/writable .................................................................................. OK Log directory storage/logs is readable/writable ............................................................................................... OK Checking database connection .................................................................................................................. OK Media storage setup (local) ................................................................................................................... OK TNT search index directory storage/search-indexes is readable/writable ........................................................................ OK API is healthy ................................................................................................................................ OK FFmpeg binary /usr/bin/ffmpeg is executable ................................................................................................... OK PHP extension zip is loaded. Multi-file downloading is supported .............................................................................. OK Max upload size ............................................................................................................................. 800M Max post size ............................................................................................................................... 800M Streaming method ...................................................................................................................... x-sendfile Last.fm integration ........................................................................................................................... OK YouTube integration ................................................................................................................ Not available Spotify integration ........................................................................................................................... OK Mailer configuration ....................................................................................................................... ERROR Koel scheduler status .............................................................................................................. Not installed Koel Plus license status .................................................................................................................. Active ERROR There are errors in your Koel setup. Koel will not work properly. ERROR You can find more details in storage/logs/laravel.log. www-data@2f4fe162785b:~/html$ php artisan tinker Psy Shell v0.12.13 (PHP 8.4.8 — cli) by Justin Hileman > User::count() [!] Aliasing 'User' to 'App\Models\User' for this Tinker session. = 6 > ```

kerem commented

2026-02-26 02:35:14 +03:00

Author

Owner

@phanan commented on GitHub (Jan 10, 2026):

I still can't reproduce the bug, but I've changed koel:doctor not to use model factories: #2195. Hopefully this will fix the issue.

@phanan commented on GitHub (Jan 10, 2026): I still can't reproduce the bug, but I've changed `koel:doctor` not to use model factories: #2195. Hopefully this will fix the issue.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/koel-koel#1097

No description provided.

Rows
Columns