CVE-2026-41457
Received Received - Intake
SQL Injection in OwnTone Server DAAP Query Enables Data Access

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: VulnCheck

Description
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41457
EUVD
EUVD-2026-24585
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
owntone owntone_server From 28.4 (inc) to 29.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41457 is a SQL injection vulnerability in OwnTone Server versions 28.4 through 29.0. It occurs in the handling of DAAP (Digital Audio Access Protocol) query and filter parameters, specifically the query= and filter= parameters for integer-mapped DAAP fields.

The vulnerability arises because these parameters are not properly sanitized, allowing attackers to inject arbitrary SQL expressions. This can let attackers bypass filters and gain unauthorized access to media library data.

The root cause was unsafe SQL query construction where string values were directly appended to SQL queries without validation. The fix involved converting input strings to integers before appending them to the SQL query, preventing injection through these integer-mapped fields.

Compliance Impact

The vulnerability allows attackers to bypass filters and gain unauthorized access to media library data by exploiting a SQL injection flaw in the DAAP query and filter handling. This unauthorized access to data could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on unauthorized data access and protection of personal or sensitive information.

However, the provided information does not explicitly mention any direct impact or assessment related to compliance with specific standards or regulations like GDPR or HIPAA.

Impact Analysis

This vulnerability allows attackers to inject arbitrary SQL commands through the DAAP query and filter parameters without requiring any privileges, authentication, or user interaction.

As a result, attackers can bypass filtering mechanisms and gain unauthorized access to media library data stored on the OwnTone Server.

The impact on confidentiality and integrity is considered low, and there is no impact on availability. However, unauthorized data access can still pose a security risk.

Detection Guidance

This vulnerability involves SQL injection via the query= and filter= parameters in DAAP requests to OwnTone Server. Detection can focus on monitoring network traffic for suspicious DAAP requests containing unusual or malformed values in these parameters.

You can use network traffic inspection tools like tcpdump or Wireshark to capture DAAP traffic and look for suspicious query= or filter= parameter values that include SQL syntax or unexpected characters.

Example commands to capture and inspect DAAP traffic on port 3689 (default DAAP port):

  • tcpdump -i <interface> -A 'tcp port 3689' | grep -iE 'query=|filter='
  • Use Wireshark with a display filter: tcp.port == 3689 and (http.request.uri contains "query=" or http.request.uri contains "filter=")

Additionally, reviewing OwnTone Server logs for unusual query or filter parameter values or unexpected database errors may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to update OwnTone Server to version 29.1 or later, where the SQL injection vulnerability has been fixed by properly sanitizing integer-mapped DAAP query and filter parameters.

If immediate patching is not possible, consider restricting network access to the OwnTone Server DAAP port (default 3689) to trusted clients only, to reduce exposure.

Monitor logs and network traffic for suspicious DAAP query or filter parameter usage to detect potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart