CVE-2026-49128
Deferred Deferred - Pending Action
Path Traversal in Music Player Daemon Local Storage Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: VulnCheck

Description
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-49128
EUVD
EUVD-2026-33001
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
music_player_daemon mpd to 0.24.11 (exc)
musicplayerdaemon mpd to 0.24.11 (exc)
musicplayerdaemon mpd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49128 is a path traversal vulnerability in Music Player Daemon (MPD) versions before 0.24.11, specifically in the LocalStorage plugin's functions LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8.

The vulnerability arises because the software constructs filesystem paths by directly concatenating a user-supplied URI with the storage root without proper canonicalization. This allows path traversal sequences like ".." to escape the intended directory.

An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read specific image files (such as cover.png, cover.jpg, cover.jxl, cover.webp) from directories outside the configured music directory.

Impact Analysis

This vulnerability allows an unauthenticated attacker to perform unauthorized directory enumeration and limited file disclosure on the system where MPD is running.

Specifically, the attacker can use the listfiles command to reveal directory contents, including file names, sizes, and modification times, of any directories that the MPD process has read access to. This could include sensitive system directories like /etc, /usr, /var, or user home directories.

Additionally, the attacker can use the albumart command to read certain image files outside the intended music directory, potentially exposing files named cover.png, cover.jpg, cover.jxl, or cover.webp, or files accessible via manipulated symlinks.

Overall, this can lead to unauthorized information disclosure and potential privacy or security risks depending on the files accessible by the MPD process.

Detection Guidance

This vulnerability can be detected by sending crafted unauthenticated commands to the Music Player Daemon (MPD) server, typically running on port 6600, to check for unauthorized directory traversal.

  • Use the `listfiles` command with path traversal sequences (e.g., `listfiles ..` or `listfiles ../../../etc`) to enumerate directory contents outside the intended music directory.
  • Use the `albumart` command with a path containing traversal sequences to attempt reading image files like `cover.png` or `cover.jpg` from directories outside the configured music directory.

If these commands return directory listings or image files from unauthorized locations, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, where the vulnerability has been fixed by adding validation to prevent unsafe relative URIs.

Until the upgrade can be applied, restrict network access to the MPD server port (default 6600) to trusted clients only, preventing unauthenticated attackers from sending crafted commands.

Additionally, review and tighten filesystem permissions for the MPD process to limit its read access to only necessary directories, reducing the impact of potential exploitation.

Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate directory contents and read certain files outside the intended music directory, potentially exposing sensitive information depending on the filesystem permissions of the MPD process.

This unauthorized access to file metadata and image files could lead to exposure of personal or sensitive data, which may impact compliance with data protection regulations such as GDPR or HIPAA if such data is stored on the affected system and accessible by the MPD process.

However, the provided information does not explicitly state the direct impact on compliance with these standards, nor does it specify if any regulated data is at risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart