Which versions of LocalStorage are affected by CVE-2026-49128?

Music Player Daemon (MPD) versions prior to 0.24.11 contain a path traversal vulnerability that enables unauthenticated remote attackers to access arbitrary files and directories on affected systems.. A patch is available.

How to fix or mitigate CVE-2026-49128?

Within 24 hours: Identify all MPD instances in your environment and restrict network access to trusted endpoints only. Within 7 days: Upgrade all Music Player Daemon instances to version 0.24.11 or later. Within 30 days: Conduct a comprehensive audit of access logs to identify any unauthorized file access prior to patching, and verify that all instances have been successfully updated to the patched version.

LocalStorage CVE-2026-49128

Q: What is the CVSS score of CVE-2026-49128?

CVE-2026-49128 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-33001 HIGH

Path Traversal (CWE-22)

2026-05-28 VulnCheck

Path Traversal

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 20:28 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 20:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 20:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 20:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Source Code Evidence Fetched

May 28, 2026 - 20:20 vuln.today

Analysis Generated

May 28, 2026 - 20:20 vuln.today

DescriptionNVD

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

AnalysisAI

Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. …

RemediationAI

Within 24 hours: Identify all MPD instances in your environment and restrict network access to trusted endpoints only. Within 7 days: Upgrade all Music Player Daemon instances to version 0.24.11 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-49128 vulnerability details – vuln.today

Back

LocalStorage CVE-2026-49128

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

LocalStorage CVE-2026-49128

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code