Home

Description

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-22 | Updated 2026-04-22 | Assigner VulnCheck




HIGH: 8.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Product status

Default status
unaffected

28.7.0 (semver) before 29.1.0
affected

dca94641a5ed66500822dd51281774794cdb6c22 (git)
unaffected

Credits

Younghyo Cho @ CIS Lab., Seoultech. finder

References

github.com/owntone/owntone-server/pull/1980 issue-tracking

github.com/...ommit/dca94641a5ed66500822dd51281774794cdb6c22 patch

www.vulncheck.com/...erver-race-condition-dos-via-daap-login third-party-advisory

cve.org (CVE-2026-41458)

nvd.nist.gov (CVE-2026-41458)

Download JSON