PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41457 owntone CVE debrief

CVE-2026-41457 is a SQL injection vulnerability in OwnTone Server versions 28.4 through 29.0. The vulnerability is located in the DAAP query and filter handling, allowing attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. This vulnerability allows attackers to bypass filters and gain unauthorized access to media library data. The CVSS score for this vulnerability is 6.9, indicating a medium severity. Users of OwnTone Server should review and mitigate this vulnerability.

Vendor
owntone
Product
owntone-server
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-07-14
Advisory published
2026-04-22
Advisory updated
2026-07-14

Who should care

Users of OwnTone Server versions 28.4 through 29.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating their systems to prevent unauthorized access to media library data.

Technical summary

The vulnerability is caused by insufficient sanitization of user input in the DAAP query and filter handling. Attackers can exploit this vulnerability to bypass filters and gain unauthorized access to media library data. The CVSS score for this vulnerability is 6.9, indicating a medium severity. OwnTone Server versions 28.4 through 29.0 are affected. Users of OwnTone Server should review and mitigate this vulnerability by updating to a version that is not vulnerable, implementing input validation and sanitization for DAAP query and filter parameters, and monitoring for suspicious activity on the OwnTone Server. Additionally, defenders should verify OwnTone Server versions 28.4 through 29.0 exposure and review insufficient sanitization of DAAP query and filter handling.

Defensive priority

Medium

Recommended defensive actions

  • Update OwnTone Server to a version that is not vulnerable
  • Implement input validation and sanitization for DAAP query and filter parameters
  • Monitor for suspicious activity on the OwnTone Server
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-04-22T03:16:00.613Z and last modified on 2026-07-14T21:16:50.540Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify OwnTone Server versions 28.4 through 29.0 exposure and review insufficient sanitization of DAAP query and filter handling.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T03:16:00.613Z and has not been modified since then. The NVD entry is currently Deferred.