Platform
nodejs
Component
owntone-server
Fixed in
29.1.0
CVE-2026-41458 describes a Denial of Service (DoS) vulnerability affecting OwnTone Server versions 28.4 through 29.0. This flaw allows unauthenticated attackers to crash the server by exploiting a race condition in the DAAP login handler. The vulnerability is triggered by flooding the /login endpoint with concurrent requests, leading to a remote denial of service. A fix is available in version 29.1.0.
The primary impact of CVE-2026-41458 is a denial of service. An attacker can easily disrupt OwnTone Server functionality by sending a high volume of requests to the /login endpoint. This can render the server unavailable to legitimate users, impacting media streaming and other services provided by OwnTone. The lack of authentication required for exploitation significantly lowers the barrier to entry for attackers, making this vulnerability a serious concern. Successful exploitation doesn't lead to data exfiltration or code execution, but the service disruption can be significant, especially in environments where OwnTone Server is critical for media management or distribution.
CVE-2026-41458 was publicly disclosed on 2026-04-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.37% (59% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-41458 is to immediately upgrade OwnTone Server to version 29.1.0 or later. If upgrading is not immediately feasible, consider implementing rate limiting on the /login endpoint to restrict the number of concurrent requests from a single IP address. Web application firewalls (WAFs) can be configured to detect and block suspicious traffic patterns indicative of a DoS attack. Monitoring server resource utilization (CPU, memory) can help identify potential DoS attacks in progress. After upgrading, confirm the fix by attempting to flood the /login endpoint with concurrent requests and verifying that the server remains stable.
Update OwnTone Server to version 29.1.0 or later to mitigate the race condition vulnerability in the DAAP login handler. This update corrects the unsynchronized access to the global DAAP session list, thus preventing remote denial of service attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41458 is a Denial of Service vulnerability in OwnTone Server versions 28.4 through 29.0, allowing attackers to crash the server by flooding the /login endpoint.
You are affected if you are running OwnTone Server versions 28.4 through 29.0. Upgrade to version 29.1.0 or later to mitigate the risk.
Upgrade OwnTone Server to version 29.1.0 or later. As a temporary workaround, implement rate limiting on the /login endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the OwnTone Server release notes and security advisories on the official OwnTone website for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.