CVE-2026-49128 MusicPlayerDaemon CVE debrief

Who should care

Organizations running MPD with network-exposed control interfaces; media server administrators; security teams monitoring information disclosure risks in audio streaming infrastructure

Technical summary

The vulnerability stems from unsafe path construction in `src/storage/plugins/LocalStorage.cxx`. The `MapFSOrThrow` and `MapUTF8` functions join the configured storage root with user-provided URI strings using plain string concatenation without `realpath()` or equivalent canonicalization. Directory traversal sequences (`../`) survive into the path passed to `openat()`, which the kernel resolves relative to the process's file system context. The `listfiles` command exposes directory metadata enumeration; `albumart` enables arbitrary image file reading. The fix (commit 0b5315b9) implements proper path canonicalization before filesystem operations.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to MPD 0.24.11 or later to obtain the canonicalization fix in LocalStorage URI handling
• Restrict network access to MPD control port (default 6600) to trusted hosts only
• Consider firewall rules or binding to localhost for MPD instances not requiring remote control
• Review MPD process file system permissions to limit exposure of sensitive directories
• Monitor for anomalous listfiles or albumart commands with path traversal patterns in MPD logs
• If immediate patching is not feasible, disable or restrict the local storage plugin if not required for operation

Evidence notes

Vulnerability confirmed via commit 0b5315b9e5a42cb0e88bf46a7579bb5641543f60 addressing path construction in local storage plugin. Issue #2484 tracks the security report. Fixed in release v0.24.11 per official release notes and NEWS file. Independent security research by mstreet97 documents four reachable bugs including this path traversal. VulnCheck advisory provides coordinated disclosure context.

Official resources