VYPR
← All advisories
High severity7.5NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-10108

CVE-2026-10108

Description

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

xiaomusic v0.5.7 has an unauthenticated path traversal in GET /music/{file_path:path} due to missing trailing separator in path prefix check, allowing arbitrary file read.

Vulnerability

The vulnerability exists in xiaomusic v0.5.7 (and earlier) in the music_file() function within file.py. The endpoint GET /music/{file_path:path} validates that the resolved file path starts with the configured music_path, but the check absolute_file_path.startswith(absolute_path) lacks a trailing os.sep. This allows paths from sibling directories whose names share the prefix (e.g., music_secret starts with music) to bypass the restriction. Affected versions: xiaomusic <= 0.5.7. [1][3]

Exploitation

An unauthenticated attacker can send a crafted request such as /music/../music_secret/private.txt where the sibling directory name begins with the music_path prefix. No authentication is required because the default configuration sets XIAOMUSIC_DISABLE_HTTPAUTH=true. The attacker only needs network access to the server. [1]

Impact

Successful exploitation allows reading arbitrary files from sibling directories that share the music_path prefix. This can lead to disclosure of sensitive data such as private recordings, configuration files, or other secrets stored in directories like music_private, music_backup, etc. The impact is high confidentiality loss with no integrity or availability impact. [1][3]

Mitigation

The fix is in commit 88404da which adds + os.sep to the startswith check in music_file() and get_picture() endpoints. Users should update to a version containing this commit (e.g., after PR #891). No workaround is available; the only mitigation is to apply the patch. [2][4]

References
  1. Unauthenticated File Read via /music/{path} Sibling-Prefix Traversal in hanxi/xiaomusic
  2. fix: add trailing separator to path containment checks (CWE-22) (#891) · hanxi/xiaomusic@88404da
  3. xiaomusic 0.5.7 Path Traversal via GET /music endpoint
  4. fix: add trailing separator to path containment checks (CWE-22) by AAtomical · Pull Request #891 · hanxi/xiaomusic

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
88404da7a283

fix: add trailing separator to path containment checks (CWE-22) (#891)

https://github.com/hanxi/xiaomusicsysyMay 26, 2026via nvd-ref
commitPR #891
1 file changed · +3 3
  • xiaomusic/api/routers/file.py+3 3 modified
    @@ -965,14 +965,14 @@ async def music_file(request: Request, file_path: str, key: str = "", code: str
         else:
             temp_base = os.path.abspath(config.temp_path)
         absolute_file_path = os.path.normpath(os.path.join(temp_base, temp_file_name))
-        if not absolute_file_path.startswith(temp_base):
+        if not absolute_file_path.startswith(temp_base + os.sep):
             raise HTTPException(status_code=404, detail="File not found")
         if not os.path.exists(absolute_file_path):
             raise HTTPException(status_code=404, detail="File not found")
     else:
         absolute_path = os.path.abspath(config.music_path)
         absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path))
-        if not absolute_file_path.startswith(absolute_path):
+        if not absolute_file_path.startswith(absolute_path + os.sep):
             raise HTTPException(status_code=404, detail="File not found")
         if not os.path.exists(absolute_file_path):
             raise HTTPException(status_code=404, detail="File not found")
@@ -1019,7 +1019,7 @@ async def get_picture(request: Request, file_path: str, key: str = "", code: str
 
     absolute_path = os.path.abspath(config.picture_cache_path)
     absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path))
-    if not absolute_file_path.startswith(absolute_path):
+    if not absolute_file_path.startswith(absolute_path + os.sep):
         raise HTTPException(status_code=404, detail="File not found")
     if not os.path.exists(absolute_file_path):
         raise HTTPException(status_code=404, detail="File not found")

Vulnerability mechanics

Root cause

"Missing trailing path separator in startswith containment check allows sibling-prefix directory traversal."

Attack vector

An unauthenticated attacker sends a crafted GET request to `/music/{file_path:path}` (or `/picture/{file_path:path}`) with a path traversal sequence such as `../music_secret/stolen.txt`. Because the `startswith` check lacks a trailing separator, a path like `/home/user/music_secret/stolen.txt` passes validation against the base `/home/user/music` since `music_secret` starts with `music`. This allows reading arbitrary files from sibling directories that share the `music_path` prefix. The default configuration (`XIAOMUSIC_DISABLE_HTTPAUTH=true`) means no authentication is required. [ref_id=1]

Affected code

The vulnerability resides in `xiaomusic/api/routers/file.py` in the `music_file()` function (lines 968 and 975) and the `get_picture()` function (line 1022). These endpoints use `startswith()` without a trailing `os.sep` to validate that the resolved file path stays within the intended base directory.

What the fix does

The patch appends `os.sep` to the base path in every `startswith` containment check, changing `absolute_file_path.startswith(absolute_path)` to `absolute_file_path.startswith(absolute_path + os.sep)`. This ensures that only paths strictly inside the intended directory pass validation — for example, `/home/user/music/` no longer matches `/home/user/music_secret/`. The fix is applied to both the `music_file()` and `get_picture()` endpoints. [patch_id=3104650]

Preconditions

  • configThe XIAOMUSIC_DISABLE_HTTPAUTH configuration must be true (the default) so no authentication is required.
  • networkThe attacker must have network access to the xiaomusic HTTP server.
  • inputA sibling directory must exist whose name shares the music_path prefix (e.g., music_secret, music_backup).

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.