PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41458 owntone CVE debrief

CVE-2026-41458 is a high-severity vulnerability in OwnTone Server versions 28.4 through 29.0. The vulnerability is caused by a race condition in the DAAP login handler, which allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

Vendor
owntone
Product
owntone-server
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-07-14
Advisory published
2026-04-22
Advisory updated
2026-07-14

Who should care

Users of OwnTone Server versions 28.4 through 29.0 should apply patches or mitigations to prevent exploitation of this vulnerability. Security teams and administrators responsible for OwnTone Server installations should prioritize patching and monitoring for potential attacks.

Technical summary

The vulnerability is caused by a race condition in the DAAP login handler of OwnTone Server versions 28.4 through 29.0. This condition allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. The attack can be carried out by flooding the DAAP /login endpoint with concurrent requests, triggering a remote denial of service condition without requiring authentication. The CVSS score for this vulnerability is 8.2, indicating a high severity level.

Defensive priority

High priority should be given to patching OwnTone Server versions 28.4 through 29.0 to prevent exploitation of this vulnerability. In the absence of a patch, implementing rate limiting or IP blocking on the DAAP /login endpoint may help mitigate the risk of exploitation.

Recommended defensive actions

  • Apply patches or updates to OwnTone Server versions 28.4 through 29.0
  • Implement rate limiting or IP blocking on the DAAP /login endpoint
  • Monitor for potential attacks and suspicious activity
  • Review and update incident response plans
  • Confirm whether affected OwnTone Server deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed OwnTone Server systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated OwnTone Server assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-04-22T03:16:01.067Z and was last modified on 2026-07-14T21:16:50.650Z. The NVD entry is currently Deferred. The vulnerability was disclosed by Vulncheck, and additional information can be found in the references provided.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T03:16:01.067Z and has not been modified since then. The NVD entry is currently Deferred.