Executive Summary

CVE-2026-23877 is a directory traversal vulnerability in the Swing Music application prior to version 2.1.4. It exists in the `list_folders()` function of the `/folder/dir-browser` endpoint, which lacks proper path validation and authorization checks. This flaw allows any authenticated user, including non-admins, to browse arbitrary directories on the server filesystem by exploiting improper handling of directory paths, such as using `../` sequences to traverse outside intended directories. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to information disclosure by allowing attackers to access sensitive server filesystem structures, configuration files, user account names, software versions, installed packages, log files, and system paths. It can also facilitate further attacks like Local File Inclusion (LFI) or Remote Code Execution (RCE) by bypassing access controls and exposing sensitive directories. Exploitation requires only low privileges (any authenticated user) and no user interaction, making it a moderate severity risk. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the directory traversal flaw in the `/folder/dir-browser` POST API endpoint of Swing Music versions prior to 2.1.4. For example, an authenticated user can send a POST request with a JSON payload specifying a folder path containing directory traversal sequences like `/music/../proc/self/`. If the server responds with directory listings from unintended locations such as `/proc/self`, it indicates the vulnerability is present. A sample curl command to test this could be: curl -X POST -H "Content-Type: application/json" -d '{"folder": "/music/../proc/self/"}' http://<server-address>/folder/dir-browser If the response includes directory entries like `attr`, `cwd`, `fd`, etc., the system is vulnerable. [2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Swing Music to version 2.1.4 or later, where the issue is fixed. The fix includes strict path validation that ensures all file system accesses remain within user-configured root directories, preventing directory traversal. Additionally, access to the vulnerable `list_folders()` function is restricted to admin users only. If upgrading is not immediately possible, restrict access to the `/folder/dir-browser` endpoint to trusted users and monitor for suspicious requests attempting directory traversal sequences. Implementing network-level controls to limit access to the application and applying strict input validation on paths can also help mitigate the risk. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to browse arbitrary directories on the server filesystem, potentially exposing sensitive information such as configuration files, user account names, software versions, installed packages, log file locations, and system paths. This unauthorized access and information disclosure could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate protection of sensitive data and proper access controls. Therefore, the vulnerability negatively impacts compliance by enabling unauthorized data exposure and weakening access control mechanisms. [2]

Useful 0 Not Useful 0