CVE-2026-41458

HIGH

OwnTone Server < 29.1 Race Condition DoS via DAAP Login

Title source: cna

Description

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

References (3)

[Issue Tracking] https://github.com/owntone/owntone-server/pull/1980

[Patch] https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login

Scores

CVSS v4 8.2

EPSS 0.0031

EPSS Percentile 54.4%

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-362

Status published

Products (2)

owntone/owntone-server 28.7.0 - 29.1.0

owntone/owntone-server dca94641a5ed66500822dd51281774794cdb6c22

Published Apr 22, 2026

Tracked Since Apr 22, 2026