Description
OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.
Published: 2026-04-22
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A race condition exists in the DAAP login handler of Owntone Server that allows an unauthenticated attacker to crash the server. The flaw arises from unsynchronized access to a global DAAP session list when multiple concurrent login requests are processed at the same time. Exploiting this race condition causes the server to terminate unexpectedly, resulting in a denial of service.

Affected Systems

Owntone Server versions 28.4 through 29.0 are affected. The issue does not apply to version 29.1 or later, which contain the fix.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating a high severity. The EPSS score is not available, but the high CVSS suggests a notable risk of exploitation. Attackers can trigger the condition by flooding the /login endpoint with simultaneous requests; no authentication is required. The vulnerability is not listed in the CISA KEV catalog, but its impact as a remote denial of service remains significant.

Generated by OpenCVE AI on April 22, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Owntone Server to version 29.1 or later to apply the fixed DAAP login handler.
  • If an upgrade is not immediately possible, apply the patch from commit dca94641a5ed66500822dd51281774794cdb6c22 that synchronizes access to the global DAAP session list.
  • Use firewall or reverse‑proxy rate‑limiting to restrict the number of concurrent requests to the /login endpoint, mitigating the risk of a DoS attack.

Generated by OpenCVE AI on April 22, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Owntone
Owntone server
Vendors & Products Owntone
Owntone server

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.
Title OwnTone Server < 29.1 Race Condition DoS via DAAP Login
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Owntone Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T18:06:24.028Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41458

cve-icon Vulnrichment

Updated: 2026-04-22T18:06:13.339Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T03:16:01.067

Modified: 2026-04-22T21:21:26.840

Link: CVE-2026-41458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:51Z

Weaknesses