CVE-2026-41458

HIGH

OwnTone Server < 29.1 Race Condition DoS via DAAP Login

Title source: cna

Description

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

References (3)

Core 3

Core References

Issue Tracking issue-tracking

https://github.com/owntone/owntone-server/pull/1980

Patch patch

https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login

Scores

CVSS v4 8.2

EPSS 0.0036

EPSS Percentile 28.1%

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (3)

owntone/owntone-server 28.4.0 - 29.1.0

owntone/owntone-server 28.7.0 - 29.1.0

owntone/owntone-server dca94641a5ed66500822dd51281774794cdb6c22

Published Apr 22, 2026

Tracked Since Apr 22, 2026