CVE-2026-41457
SQL Injection in OwnTone Server DAAP Query Enables Data Access
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | owntone_server | From 28.4 (inc) to 29.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41457 is a SQL injection vulnerability in OwnTone Server versions 28.4 through 29.0. It occurs in the handling of DAAP (Digital Audio Access Protocol) query and filter parameters, specifically the query= and filter= parameters for integer-mapped DAAP fields.
The vulnerability arises because these parameters are not properly sanitized, allowing attackers to inject arbitrary SQL expressions. This can let attackers bypass filters and gain unauthorized access to media library data.
The root cause was unsafe SQL query construction where string values were directly appended to SQL queries without validation. The fix involved converting input strings to integers before appending them to the SQL query, preventing injection through these integer-mapped fields.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject arbitrary SQL commands through the DAAP query and filter parameters without requiring any privileges, authentication, or user interaction.
As a result, attackers can bypass filtering mechanisms and gain unauthorized access to media library data stored on the OwnTone Server.
The impact on confidentiality and integrity is considered low, and there is no impact on availability. However, unauthorized data access can still pose a security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection via the query= and filter= parameters in DAAP requests to OwnTone Server. Detection can focus on monitoring network traffic for suspicious DAAP requests containing unusual or malformed values in these parameters.
You can use network traffic inspection tools like tcpdump or Wireshark to capture DAAP traffic and look for suspicious query= or filter= parameter values that include SQL syntax or unexpected characters.
Example commands to capture and inspect DAAP traffic on port 3689 (default DAAP port):
- tcpdump -i <interface> -A 'tcp port 3689' | grep -iE 'query=|filter='
- Use Wireshark with a display filter: tcp.port == 3689 and (http.request.uri contains "query=" or http.request.uri contains "filter=")
Additionally, reviewing OwnTone Server logs for unusual query or filter parameter values or unexpected database errors may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update OwnTone Server to version 29.1 or later, where the SQL injection vulnerability has been fixed by properly sanitizing integer-mapped DAAP query and filter parameters.
If immediate patching is not possible, consider restricting network access to the OwnTone Server DAAP port (default 3689) to trusted clients only, to reduce exposure.
Monitor logs and network traffic for suspicious DAAP query or filter parameter usage to detect potential exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to bypass filters and gain unauthorized access to media library data by exploiting a SQL injection flaw in the DAAP query and filter handling. This unauthorized access to data could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on unauthorized data access and protection of personal or sensitive information.
However, the provided information does not explicitly mention any direct impact or assessment related to compliance with specific standards or regulations like GDPR or HIPAA.