CVE-2026-49129
MEDIUMMusic Player Daemon < 0.24.11 SSRF via CurlInputPlugin
Title source: cnaDescription
Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.
References (7)
Core 7
Core References
Exploit technical-description
exploit
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
Patch release-notes
patch
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
Release Notes release-notes
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
Release Notes release-notes
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
Issue Tracking issue-tracking
https://github.com/MusicPlayerDaemon/MPD/issues/2487
Patch patch
https://github.com/MusicPlayerDaemon/MPD/commit/78341dd6c7b101c3feede233d4cc4f8f1fcc4bb3
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/music-player-daemon-ssrf-via-curlinputplugin
Scores
CVSS v3
5.8
EPSS
0.0028
EPSS Percentile
19.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
MusicPlayerDaemon/MPD
< 0.24.11
Published
May 28, 2026
Tracked Since
May 29, 2026