Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
AnalysisAI
SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.
Technical ContextAI
OwnTone Server implements the Digital Audio Access Protocol (DAAP) to serve music libraries over HTTP. The vulnerability exists in query and filter parameter parsing for integer-mapped DAAP fields. When constructing SQL WHERE clauses, the application fails to properly sanitize user-supplied values in the query= and filter= parameters before concatenating them into SQL statements (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). This allows attackers to break out of intended SQL syntax and inject arbitrary expressions, such as OR 1=1 or UNION-based injection payloads. The CPE indicates the flaw affects OwnTone Server across multiple minor versions (28.4 through 29.0), suggesting the vulnerable code path was introduced or persisted across this version range.
RemediationAI
Upgrade OwnTone Server to the patched version containing commit d4784ebf2099ed1a4203333aee957e5c7553c217 or later. Consult the OwnTone Server GitHub repository (https://github.com/owntone/owntone-server) and the VulnCheck advisory (https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters) for exact released version numbers and deployment instructions. As an interim workaround if patching is delayed, restrict network access to the DAAP service by implementing firewall rules to allow connections only from trusted internal network segments or specific IP ranges, and disable DAAP remote access if not required. Note that these mitigations do not eliminate the vulnerability but reduce the attacker surface. Immediate patching is strongly recommended as the fix is available and the attack is trivial to execute.
More in Owntone Server
View allNULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through co
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attacker
OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_bind() in misc.c. Rated critical severity (CVSS 9.
Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remot
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e
Same weakness CWE-89 – SQL Injection
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24585
GHSA-6742-w24p-5jgf