CVE-2026-49129 MusicPlayerDaemon CVE debrief

Who should care

Organizations running Music Player Daemon instances with network-exposed control interfaces, audio streaming services using MPD for remote content fetching, and security teams monitoring for SSRF vulnerabilities in media server infrastructure.

Technical summary

The vulnerability stems from incomplete curl configuration in MPD's CurlInputPlugin. When CURLOPT_FOLLOWLOCATION is set to follow HTTP redirects without CURLOPT_REDIR_PROTOCOLS_STR to restrict allowed protocols, curl will follow redirects to any supported protocol. This allows an attacker who controls a malicious HTTP server to redirect MPD's URL fetch requests to non-HTTP protocols (gopher, ftp, sftp, ldap, dict, rtmp, rtsp), effectively bypassing MPD's http/https scheme restriction. The attacker can trigger this via standard MPD commands that fetch URLs. Systems with libcurl >= 7.85.0 have additional protections, but the configuration gap in MPD remains a vulnerability on older libcurl versions.

Defensive priority

medium

Recommended defensive actions

• Upgrade Music Player Daemon to version 0.24.11 or later
• Ensure libcurl is updated to version 7.85.0 or later
• Restrict network access to MPD control interfaces to trusted hosts only
• Monitor MPD logs for suspicious URL fetch requests involving non-HTTP protocols
• Review and validate any custom MPD configurations that enable remote URL fetching
• Consider implementing network segmentation to limit MPD's ability to reach internal services

Evidence notes

Vulnerability confirmed through official MPD commit fixing the issue, GitHub issue #2487, and release notes for version 0.24.11. VulnCheck advisory provides additional technical context. CVSS 4.0 vector indicates network attack vector with low attack complexity and no privileges required.

Official resources