CVE-2026-49128
HIGHMusic Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling
Title source: cnaDescription
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
References (7)
Core 7
Core References
Exploit technical-description
exploit
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
Patch release-notes
patch
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
Release Notes release-notes
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
Release Notes release-notes
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
Issue Tracking issue-tracking
https://github.com/MusicPlayerDaemon/MPD/issues/2484
Patch patch
https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handling
Scores
CVSS v3
7.5
EPSS
0.0050
EPSS Percentile
38.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
MusicPlayerDaemon/MPD
< 0.24.11
Published
May 28, 2026
Tracked Since
May 29, 2026