Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-49129 is a Server-Side Request Forgery (SSRF) vulnerability in Music Player Daemon (MPD) versions before 0.24.11, specifically in the CurlInputPlugin. The vulnerability occurs because the plugin uses libcurl's CURLOPT_FOLLOWLOCATION option without properly restricting the allowed redirect protocols via CURLOPT_REDIR_PROTOCOLS_STR. This allows unauthenticated attackers to bypass the intended HTTP/HTTPS scheme restrictions by causing malicious HTTP servers to redirect MPD to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp.

Attackers can exploit this vulnerability by sending MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load. This can cause MPD to interact with internal or restricted network services, potentially leaking information or enabling further attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to make MPD connect to arbitrary internal or restricted network services by exploiting redirects to unsupported protocols. This can lead to information leakage such as banners or protocol handshakes from internal services, which may reveal sensitive details like software versions or configurations.

Because MPD can be tricked into interacting with various protocols (e.g., sftp, ftp, gopher, rtmp), attackers might use this to bypass network restrictions or gain insights into internal network infrastructure, increasing the risk of further exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual MPD commands that initiate URL fetches such as add, readcomments, albumart, readpicture, or load, which may be exploited to trigger SSRF attacks.

Detection can involve setting up network listeners to observe unexpected connections or banner leaks from internal services that MPD might be tricked into accessing.

For example, you can use network monitoring tools like tcpdump or Wireshark to capture traffic from the MPD server and look for connections to unusual protocols or internal IP addresses.

• tcpdump -i <interface> host <mpd_server_ip> and port <mpd_port>
• Use netcat (nc) or similar tools to set up a listener on internal services to detect if MPD is making unexpected connections.
• Review MPD logs for usage of commands like add, readcomments, albumart, readpicture, or load that include URLs.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, which raises the minimum required libcurl version to 7.85.0.

This upgrade ensures that libcurl restricts CURLOPT_FOLLOWLOCATION redirects to only HTTP and FTP protocols, preventing attackers from exploiting redirects to unsupported protocols.

If upgrading is not immediately possible, consider restricting network access to the MPD server and internal services to limit the attack surface.

Additionally, monitor and restrict the use of MPD commands that fetch URLs, such as add, readcomments, albumart, readpicture, or load.

Useful 0 Not Useful 0