Skip to main content

OwnTone Server EUVDEUVD-2026-24585

| CVE-2026-41457 MEDIUM
SQL Injection (CWE-89)
2026-04-22 VulnCheck GHSA-6742-w24p-5jgf
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 22, 2026 - 03:22 vuln.today
CVSS changed
Apr 22, 2026 - 03:22 NVD
6.9 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 03:00 euvd
EUVD-2026-24585
Analysis Generated
Apr 22, 2026 - 03:00 vuln.today
Patch released
Apr 22, 2026 - 03:00 nvd
Patch available
CVE Published
Apr 22, 2026 - 01:46 nvd
MEDIUM 6.9

DescriptionCVE.org

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

AnalysisAI

SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.

Technical ContextAI

OwnTone Server implements the Digital Audio Access Protocol (DAAP) to serve music libraries over HTTP. The vulnerability exists in query and filter parameter parsing for integer-mapped DAAP fields. When constructing SQL WHERE clauses, the application fails to properly sanitize user-supplied values in the query= and filter= parameters before concatenating them into SQL statements (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). This allows attackers to break out of intended SQL syntax and inject arbitrary expressions, such as OR 1=1 or UNION-based injection payloads. The CPE indicates the flaw affects OwnTone Server across multiple minor versions (28.4 through 29.0), suggesting the vulnerable code path was introduced or persisted across this version range.

RemediationAI

Upgrade OwnTone Server to the patched version containing commit d4784ebf2099ed1a4203333aee957e5c7553c217 or later. Consult the OwnTone Server GitHub repository (https://github.com/owntone/owntone-server) and the VulnCheck advisory (https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters) for exact released version numbers and deployment instructions. As an interim workaround if patching is delayed, restrict network access to the DAAP service by implementing firewall rules to allow connections only from trusted internal network segments or specific IP ranges, and disable DAAP remote access if not required. Note that these mitigations do not eliminate the vulnerability but reduce the attacker surface. Immediate patching is strongly recommended as the fix is available and the attack is trivial to execute.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy