CVE-2026-50233
Arbitrary Directory Listing in Lyrion Music Server
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lyrion | music_server | 9.2.0 |
| lyrion | music_server | to 9.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-548 | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-50233 is an arbitrary directory listing vulnerability found in Lyrion Music Server version 9.2.0 or earlier.
The vulnerability exists in the readdirectory query, which can be accessed via the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js.
This query accepts a folder parameter and lists the contents of that folder without restricting access to only configured media directories and without requiring authentication in the default configuration.
As a result, a remote, unauthenticated attacker can enumerate arbitrary locations on the host filesystem.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to list arbitrary directories on the host filesystem without authentication.
Such unauthorized directory enumeration can expose sensitive information about the system's file structure and contents.
Attackers could use this information to plan further attacks or gain insights into the system's configuration and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the readdirectory query on the affected Lyrion Music Server 9.2.0 or earlier versions. You can test both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js.
- For the CLI service, use a network tool like netcat or telnet to connect to port 9090 and send a crafted readdirectory query with a folder parameter to see if directory contents are returned without authentication.
- For the HTTP JSON-RPC endpoint, use curl or a similar HTTP client to send a POST request to http://<server-ip>:<port>/jsonrpc.js with a JSON body containing the readdirectory query and a folder parameter.
- Example curl command: curl -X POST http://<server-ip>:<port>/jsonrpc.js -d '{"method":"readdirectory","params":{"folder":"/"}}' -H 'Content-Type: application/json'
- If the server responds with a listing of directory contents outside the configured media directories and without requiring authentication, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote, unauthenticated attackers to enumerate arbitrary directories on the host filesystem, potentially exposing sensitive information.
Such unauthorized exposure of information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding of personal and sensitive data against unauthorized access.
However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the arbitrary directory listing vulnerability in Lyrion Music Server 9.2.0, immediate steps include restricting access to the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint (/jsonrpc.js) to trusted users only.
Additionally, configuring authentication mechanisms to prevent unauthenticated access and limiting the folder parameter to only authorized media directories can help reduce the risk.
If possible, updating to a patched version of the software or applying vendor-provided fixes is recommended.