OwnTone Server CVE-2026-41458

| EUVD-2026-24587 HIGH
Race Condition (CWE-362)
2026-04-22 VulnCheck GHSA-rvqf-8mp6-8qjg
Denial Of Service Race Condition Owntone Server
8.2
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 22, 2026 - 03:23 vuln.today
CVSS changed
Apr 22, 2026 - 03:22 NVD
8.2 (HIGH)

DescriptionNVD

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

AnalysisAI

Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remote denial of service without authentication. Attack complexity is high (CVSS AC:H) but requires no privileges, enabling unauthenticated attackers to flood the /login endpoint and trigger crashes through unsynchronized global state access. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: identify all OwnTone Server instances running versions 28.4-29.0 in your environment. Within 7 days: apply vendor patch via GitHub commit dca94641 or upgrade to patched release. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41458 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy