Description
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
Published: 2026-04-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Patch Immediately
AI Analysis

Impact

OwnTone Server versions 28.4 through 29.0 include a SQL injection flaw in the handling of DAAP query and filter parameters. The flaw allows attackers to supply crafted values for integer-mapped DAAP fields through the query= and filter= HTTP parameters, bypassing the intended input sanitization and injecting arbitrary SQL expressions. The resulting SQL injection permits unauthorized read access to the media library database, potentially exposing confidential media metadata and file paths.

Affected Systems

The vulnerability affects OwnTone Server software from version 28.4 up to and including 29.0. Only these builds are susceptible; version 29.1 and later are unaffected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. While no EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog, the flaw is potentially exploitable remotely over the DAAP interface, assuming the service is reachable by unauthenticated users. Attackers would need to craft malicious query or filter parameters to trigger the injection, making the attack vector likely network‑based via the DAAP protocol. The impact is primarily unauthorized data access rather than system compromise.

Generated by OpenCVE AI on April 22, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OwnTone Server to version 29.1 or later.
  • Restrict network access to the DAAP service and disable public access if possible.
  • Implement input validation or filter out the query= and filter= parameters using a reverse‑proxy or firewall to block injection attempts.

Generated by OpenCVE AI on April 22, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Owntone
Owntone owntone-server
Vendors & Products Owntone
Owntone owntone-server

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
Title OwnTone Server < 29.1 SQL Injection via query and filter Parameters
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Owntone Owntone-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T13:08:55.971Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41457

cve-icon Vulnrichment

Updated: 2026-04-22T13:08:52.505Z

cve-icon NVD

Status : Received

Published: 2026-04-22T03:16:00.613

Modified: 2026-04-22T03:16:00.613

Link: CVE-2026-41457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses