Home

Description

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

PUBLISHED Reserved 2026-05-27 | Published 2026-05-28 | Updated 2026-05-29 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

Any version before 0.24.11
affected

Credits

Matteo Strada finder

Daniele Berardinelli finder

References

github.com/MusicPlayerDaemon/MPD/issues/2484 exploit

mstreet97.github.io/...026/05/25/Four_Bugs_Reachable_nc.html technical-description exploit

www.musicpd.org/news/2026/05/mpd-0-24-11-released/ release-notes patch

raw.githubusercontent.com/...cPlayerDaemon/MPD/v0.24.11/NEWS release-notes

github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11 release-notes

github.com/MusicPlayerDaemon/MPD/issues/2484 issue-tracking

github.com/...ommit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60 patch

www.vulncheck.com/...traversal-via-localstorage-uri-handling third-party-advisory

cve.org (CVE-2026-49128)

nvd.nist.gov (CVE-2026-49128)

Download JSON