Skip to main content

Music Player Daemon CVE-2026-49129

| EUVDEUVD-2026-33005 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-28 VulnCheck GHSA-5c2h-g7wx-c499
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 28, 2026 - 20:24 vuln.today
Analysis Generated
May 28, 2026 - 20:24 vuln.today
CVSS changed
May 28, 2026 - 20:22 NVD
5.8 (MEDIUM) 6.9 (MEDIUM)
CVE Published
May 28, 2026 - 19:10 nvd
MEDIUM 6.9

DescriptionCVE.org

Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.

AnalysisAI

Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypass HTTP/HTTPS scheme restrictions by exploiting the CurlInputPlugin's failure to set CURLOPT_REDIR_PROTOCOLS_STR alongside CURLOPT_FOLLOWLOCATION in libcurl. An attacker who can submit URLs to MPD via commands such as add, readcomments, albumart, readpicture, or load can cause MPD to follow redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp - enabling interaction with internal or restricted network services. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the CVSS 4.0 score of 6.9 with a fully unauthenticated network attack vector warrants prompt patching on any externally accessible MPD deployment.

Technical ContextAI

MPD's CurlInputPlugin uses libcurl's CURLOPT_FOLLOWLOCATION option to transparently follow HTTP redirects when fetching remote media or metadata. The vulnerability arises because CURLOPT_REDIR_PROTOCOLS_STR - introduced in libcurl 7.85.0 and designed specifically to whitelist permitted redirect target protocols - was not set. In libcurl versions prior to 7.85.0, the legacy behavior permits redirects to any supported protocol, including non-HTTP schemes. CWE-918 (Server-Side Request Forgery) captures this root cause: the server (MPD) performs network requests on behalf of user-supplied input without adequately restricting the scope of those requests. The affected CPE is cpe:2.3:a:musicplayerdaemon:mpd:*:*:*:*:*:*:*:* for all versions before 0.24.11. The commit diff at 78341dd6c7b101c3feede233d4cc4f8f1fcc4bb3 confirms the fix: the minimum required libcurl dependency was raised from 7.55 to 7.85 in meson.build, enforcing protocol restriction during redirects at build time.

RemediationAI

Upgrade MPD to version 0.24.11, the vendor-released patch confirmed at https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ and https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11. Critically, MPD 0.24.11 also requires libcurl >= 7.85.0 at build time (enforced in meson.build); verify that the underlying libcurl on the target system meets this minimum before or alongside the MPD upgrade. If immediate patching is not possible, restrict access to MPD's command socket (default TCP 6600) to only trusted local or administrative hosts using firewall rules or network segmentation - this eliminates the ability for external or untrusted clients to submit malicious URLs. A second compensating control is to avoid exposing MPD to URLs from untrusted sources at the application level (e.g., disable playlist loading from external sources). Note that restricting the command port may impact legitimate remote control clients; weigh this trade-off against exposure risk.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-49129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy