CVE-2026-49128 - Vulnerability Details

- Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling

Description

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

Published: 2026-05-28

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Music Player Daemon (MPD) versions prior to 0.24.11 have a path traversal flaw in the LocalStorage plugin where user‑supplied URIs are concatenated to the storage root without canonicalization, allowing an attacker to craft URIs containing '..' segments. The vulnerability permits an unauthenticated attacker to use the listfiles command to enumerate directory entries that the MPD process can read, and to use the albumart command to read image files from any directory outside the configured music_directory. The result is the ability to read arbitrary files, leading to confidential data disclosure. The CVSS score of 8.7 indicates a high risk and a low to moderate attack complexity, while the lack of authentication is a notable concern.

Affected Systems

All users of MusicPlayerDaemon:MPD running releases before 0.24.11 are affected. The fix was introduced in version 0.24.11 (released in May 2026). Systems still running older versions that have the LocalStorage plugin enabled and that allow the listfiles or albumart commands are vulnerable, and the impact scope is limited to the filesystem permissions of the MPD process.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.7 and is not yet listed in CISA’s KEV, suggesting no widespread exploitation has been reported yet. EPSS data is unavailable, so the exact probability of exploitation is unknown. However, the attack path is straightforward: any local user or network client that can communicate with the MPD server and issue the listfiles or albumart commands can exploit it, regardless of the MPD process’s privileges, as the flaw relies on the process’s own file‑system access. Consequently, the risk remains significant for exposed MPD services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MusicPlayerDaemon

MPD

affected

Version	Status	Constraints
`0`	affected	< 0.24.11

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MPD to version 0.24.11 or later, where path canonicalization has been implemented.
Run the MPD process under a least‑privileged user that has no read access to sensitive parts of the filesystem.
Limit client access to the MPD server or disable the local‑storage plugin and the listfiles/albumart commands through configuration changes if an upgrade cannot be performed immediately.

Generated by OpenCVE AI on May 28, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00113.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60
https://github.com/MusicPlayerDaemon/MPD/issues/2484
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling

History

Fri, 29 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
Title		Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling
Weaknesses		CWE-22
References		https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60 https://github.com/MusicPlayerDaemon/MPD/issues/2484 https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11 https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-28T19:02:28.719Z

Updated: 2026-05-29T13:27:41.298Z

Reserved: 2026-05-27T17:40:12.738Z

Link: CVE-2026-49128

Vulnrichment

Updated: 2026-05-29T13:25:52.605Z

NVD

Status : Deferred

Published: 2026-05-28T20:16:26.547

Modified: 2026-05-29T14:16:32.350

Link: CVE-2026-49128

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T20:30:25Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object