CVE-2026-49128
Description
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated path traversal in Music Player Daemon < 0.24.11 allows directory listing and file read outside music_directory.
Vulnerability
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin (src/storage/plugins/LocalStorage.cxx:86-101). The on-disk path is constructed by joining the storage root with the user-supplied URI as plain strings without canonicalization, so .. segments survive into the resolved path and are flattened by the kernel at openat() time [2]. Affected are all versions before 0.24.11 [1][3].
Exploitation
An unauthenticated attacker can use the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files (cover.{png,jpg,jxl,webp}) in any attacker-chosen directory outside the configured music_directory [2]. No authentication or special privileges are required; only network access to the MPD command port (default 6600) is needed. For listfiles, the URI string is passed directly to MapFSOrThrow, which concatenates base_fs with the URI, e.g., music_directory/../../../etc/ssh [2]. The albumart command similarly uses MapUTF8 on a URI and reads the parent directory of the resolved path [2].
Impact
On success, an attacker gains the ability to list the contents of any directory that the MPD process can read (e.g., mpd:audio user on Debian/Ubuntu, covering much of /etc, /usr, /var, and readable subtrees of /home) [2]. For albumart, the attacker can read specific image files from arbitrary directories [2]. This constitutes a serious information disclosure (violation of confidentiality) of file names and certain file contents.
Mitigation
A fix was released in MPD version 0.24.11 on 2026-05-15 [1][3]. Users should upgrade to 0.24.11 or later. No workarounds are documented in the available references. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the available references.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0.24.11
Patches
10b5315b9e5a4LocateUri: validate relative URIs with uri_safe_local()
2 files changed · +8 −1
NEWS+2 −0 modified@@ -1,4 +1,6 @@ ver 0.24.11 (not yet released) +* protocol + - fix path traversal bug * playlist: do not allow newlines in song URIs ver 0.24.10 (2026/05/06)
src/LocateUri.cxx+6 −1 modified@@ -9,6 +9,7 @@ #include "storage/Registry.hxx" #include "util/ASCII.hxx" #include "util/UriExtract.hxx" +#include "util/UriUtil.hxx" #ifdef ENABLE_DATABASE #include "storage/StorageInterface.hxx" @@ -115,6 +116,10 @@ LocateUri(UriPluginKind kind, , storage #endif ); - else + else { + if (!uri_safe_local(uri)) + throw std::invalid_argument{"Bad relative path"}; + return LocatedUri(LocatedUri::Type::RELATIVE, uri); + } }
Vulnerability mechanics
Root cause
"Missing validation of user-supplied relative URIs allows `..` path traversal segments to survive into the resolved on-disk path."
Attack vector
An unauthenticated attacker sends a crafted relative URI containing `..` path traversal sequences (e.g. `listfiles ..`) to the MPD command interface. The `LocateUri` function previously accepted such URIs without validation [patch_id=2980738]. The local storage plugin then joins the storage root with the attacker-supplied URI as a plain string, and the `..` segments are flattened by the kernel at `openat()` time. This allows the attacker to enumerate directory contents (names, sizes, modification times) via `listfiles` and read arbitrary image files via `albumart` from any directory readable by the MPD process outside the configured `music_directory`.
Affected code
The vulnerability resides in `src/LocateUri.cxx` in the `LocateUri` function. When a relative URI is supplied (e.g. via the `listfiles` or `albumart` commands), the code previously accepted the URI without validation and passed it to the local storage plugin. The downstream functions `LocalStorage::MapFSOrThrow` and `LocalStorage::MapUTF8` then joined the storage root with the user-supplied URI as plain strings, allowing `..` segments to survive into the resolved path.
What the fix does
The patch adds a call to `uri_safe_local(uri)` in `LocateUri` before accepting a relative URI [patch_id=2980738]. This function validates that the URI does not contain path traversal components such as `..`. If the URI fails validation, an `std::invalid_argument` exception is thrown with the message "Bad relative path", preventing the malicious URI from reaching the local storage plugin. The commit message explicitly states this fixes "an ugly path traversal bug that allowed clients to do 'listfiles ..'".
Preconditions
- configMPD must be configured with a local storage plugin (the default configuration)
- networkThe attacker must be able to reach the MPD command interface (TCP port 6600 by default)
- authNo authentication is required (MPD protocol is unauthenticated by default)
- inputThe attacker supplies a relative URI containing '..' path traversal sequences
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60nvd
- github.com/MusicPlayerDaemon/MPD/issues/2484nvd
- github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11nvd
- mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.htmlnvd
- raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWSnvd
- www.musicpd.org/news/2026/05/mpd-0-24-11-released/nvd
- www.vulncheck.com/advisories/music-player-daemon-path-traversal-via-localstorage-uri-handlingnvd
News mentions
0No linked articles in our index yet.