CVE-2026-41458: DoS in OwnTone Server
Platform
nodejs
Component
owntone-server
Fixed in
29.1.0
CVE-2026-41458 describes a Denial of Service (DoS) vulnerability affecting OwnTone Server versions 28.4 through 29.0. This flaw allows unauthenticated attackers to crash the server by exploiting a race condition in the DAAP login handler. The vulnerability is triggered by flooding the /login endpoint with concurrent requests, leading to a remote denial of service. A fix is available in version 29.1.0.
Impact and Attack Scenarios
The primary impact of CVE-2026-41458 is a denial of service. An attacker can easily disrupt OwnTone Server functionality by sending a high volume of requests to the /login endpoint. This can render the server unavailable to legitimate users, impacting media streaming and other services provided by OwnTone. The lack of authentication required for exploitation significantly lowers the barrier to entry for attackers, making this vulnerability a serious concern. Successful exploitation doesn't lead to data exfiltration or code execution, but the service disruption can be significant, especially in environments where OwnTone Server is critical for media management or distribution.
Exploitation Context
CVE-2026-41458 was publicly disclosed on 2026-04-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.37% (59% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The recommended mitigation for CVE-2026-41458 is to immediately upgrade OwnTone Server to version 29.1.0 or later. If upgrading is not immediately feasible, consider implementing rate limiting on the /login endpoint to restrict the number of concurrent requests from a single IP address. Web application firewalls (WAFs) can be configured to detect and block suspicious traffic patterns indicative of a DoS attack. Monitoring server resource utilization (CPU, memory) can help identify potential DoS attacks in progress. After upgrading, confirm the fix by attempting to flood the /login endpoint with concurrent requests and verifying that the server remains stable.
How to fix
Update OwnTone Server to version 29.1.0 or later to mitigate the race condition vulnerability in the DAAP login handler. This update corrects the unsynchronized access to the global DAAP session list, thus preventing remote denial of service attacks.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-41458 — DoS in OwnTone Server?
CVE-2026-41458 is a Denial of Service vulnerability in OwnTone Server versions 28.4 through 29.0, allowing attackers to crash the server by flooding the /login endpoint.
Am I affected by CVE-2026-41458 in OwnTone Server?
You are affected if you are running OwnTone Server versions 28.4 through 29.0. Upgrade to version 29.1.0 or later to mitigate the risk.
How do I fix CVE-2026-41458 in OwnTone Server?
Upgrade OwnTone Server to version 29.1.0 or later. As a temporary workaround, implement rate limiting on the /login endpoint.
Is CVE-2026-41458 being actively exploited?
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Where can I find the official OwnTone Server advisory for CVE-2026-41458?
Refer to the OwnTone Server release notes and security advisories on the official OwnTone website for the latest information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.