CVE-2026-49129
MPD Server-Side Request Forgery via CurlInputPlugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| music_player_daemon | mpd | to 0.24.11 (exc) |
| libcurl | libcurl | to 7.85.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49129 is a Server-Side Request Forgery (SSRF) vulnerability in Music Player Daemon (MPD) versions before 0.24.11, specifically in the CurlInputPlugin. The vulnerability occurs because the plugin uses libcurl's CURLOPT_FOLLOWLOCATION option without properly restricting the allowed redirect protocols via CURLOPT_REDIR_PROTOCOLS_STR. This allows unauthenticated attackers to bypass the intended HTTP/HTTPS scheme restrictions by causing malicious HTTP servers to redirect MPD to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp.
Attackers can exploit this vulnerability by sending MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load. This can cause MPD to interact with internal or restricted network services, potentially leaking information or enabling further attacks.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to make MPD connect to arbitrary internal or restricted network services by exploiting redirects to unsupported protocols. This can lead to information leakage such as banners or protocol handshakes from internal services, which may reveal sensitive details like software versions or configurations.
Because MPD can be tricked into interacting with various protocols (e.g., sftp, ftp, gopher, rtmp), attackers might use this to bypass network restrictions or gain insights into internal network infrastructure, increasing the risk of further exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual MPD commands that initiate URL fetches such as add, readcomments, albumart, readpicture, or load, which may be exploited to trigger SSRF attacks.
Detection can involve setting up network listeners to observe unexpected connections or banner leaks from internal services that MPD might be tricked into accessing.
For example, you can use network monitoring tools like tcpdump or Wireshark to capture traffic from the MPD server and look for connections to unusual protocols or internal IP addresses.
- tcpdump -i <interface> host <mpd_server_ip> and port <mpd_port>
- Use netcat (nc) or similar tools to set up a listener on internal services to detect if MPD is making unexpected connections.
- Review MPD logs for usage of commands like add, readcomments, albumart, readpicture, or load that include URLs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, which raises the minimum required libcurl version to 7.85.0.
This upgrade ensures that libcurl restricts CURLOPT_FOLLOWLOCATION redirects to only HTTP and FTP protocols, preventing attackers from exploiting redirects to unsupported protocols.
If upgrading is not immediately possible, consider restricting network access to the MPD server and internal services to limit the attack surface.
Additionally, monitor and restrict the use of MPD commands that fetch URLs, such as add, readcomments, albumart, readpicture, or load.