Executive Summary

CVE-2026-50233 is an arbitrary directory listing vulnerability found in Lyrion Music Server version 9.2.0 or earlier.

The vulnerability exists in the readdirectory query, which can be accessed via the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js.

This query accepts a folder parameter and lists the contents of that folder without restricting access to only configured media directories and without requiring authentication in the default configuration.

As a result, a remote, unauthenticated attacker can enumerate arbitrary locations on the host filesystem.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote attackers to list arbitrary directories on the host filesystem without authentication.

Such unauthorized directory enumeration can expose sensitive information about the system's file structure and contents.

Attackers could use this information to plan further attacks or gain insights into the system's configuration and data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the readdirectory query on the affected Lyrion Music Server 9.2.0 or earlier versions. You can test both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js.

• For the CLI service, use a network tool like netcat or telnet to connect to port 9090 and send a crafted readdirectory query with a folder parameter to see if directory contents are returned without authentication.
• For the HTTP JSON-RPC endpoint, use curl or a similar HTTP client to send a POST request to http://<server-ip>:<port>/jsonrpc.js with a JSON body containing the readdirectory query and a folder parameter.
• Example curl command: curl -X POST http://<server-ip>:<port>/jsonrpc.js -d '{"method":"readdirectory","params":{"folder":"/"}}' -H 'Content-Type: application/json'
• If the server responds with a listing of directory contents outside the configured media directories and without requiring authentication, the vulnerability is present.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote, unauthenticated attackers to enumerate arbitrary directories on the host filesystem, potentially exposing sensitive information.

Such unauthorized exposure of information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding of personal and sensitive data against unauthorized access.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the arbitrary directory listing vulnerability in Lyrion Music Server 9.2.0, immediate steps include restricting access to the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint (/jsonrpc.js) to trusted users only.

Additionally, configuring authentication mechanisms to prevent unauthenticated access and limiting the folder parameter to only authorized media directories can help reduce the risk.

If possible, updating to a patched version of the software or applying vendor-provided fixes is recommended.

Useful 0 Not Useful 0