Platform
nodejs
Component
owntone-server
Opgelost in
29.1.0
CVE-2026-41458 describes a Denial of Service (DoS) vulnerability affecting OwnTone Server versions 28.4 through 29.0. This flaw allows unauthenticated attackers to crash the server by exploiting a race condition in the DAAP login handler. The vulnerability is triggered by flooding the /login endpoint with concurrent requests, leading to a remote denial of service. A fix is available in version 29.1.0.
The primary impact of CVE-2026-41458 is a denial of service. An attacker can easily disrupt OwnTone Server functionality by sending a high volume of requests to the /login endpoint. This can render the server unavailable to legitimate users, impacting media streaming and other services provided by OwnTone. The lack of authentication required for exploitation significantly lowers the barrier to entry for attackers, making this vulnerability a serious concern. Successful exploitation doesn't lead to data exfiltration or code execution, but the service disruption can be significant, especially in environments where OwnTone Server is critical for media management or distribution.
CVE-2026-41458 was publicly disclosed on 2026-04-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals relying on OwnTone Server for media management and streaming are at risk. This includes users of older OwnTone Server installations who have not yet applied security updates. Shared hosting environments where OwnTone Server is deployed could be particularly vulnerable, as an attacker could potentially target the server from another tenant's account.
• nodejs / server: Monitor OwnTone Server logs for a high volume of requests to the /login endpoint originating from a single IP address or a small number of IP addresses. Use journalctl -f to observe login attempts and resource usage.
journalctl -f | grep "/login"• generic web: Use curl to send a large number of concurrent requests to the /login endpoint and monitor server response times and resource utilization.
curl -v -H 'Accept: application/json' -X POST http://<ownToneServerIP>/login --parallel --limit 100disclosure
Exploit Status
EPSS
0.37% (59% percentiel)
CISA SSVC
The recommended mitigation for CVE-2026-41458 is to immediately upgrade OwnTone Server to version 29.1.0 or later. If upgrading is not immediately feasible, consider implementing rate limiting on the /login endpoint to restrict the number of concurrent requests from a single IP address. Web application firewalls (WAFs) can be configured to detect and block suspicious traffic patterns indicative of a DoS attack. Monitoring server resource utilization (CPU, memory) can help identify potential DoS attacks in progress. After upgrading, confirm the fix by attempting to flood the /login endpoint with concurrent requests and verifying that the server remains stable.
Actualice OwnTone Server a la versión 29.1.0 o posterior para mitigar la vulnerabilidad de condición de carrera en el manejador de inicio de sesión DAAP. Esta actualización corrige el acceso no sincronizado a la lista global de sesiones DAAP, previniendo así ataques de denegación de servicio remotos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-41458 is a Denial of Service vulnerability in OwnTone Server versions 28.4 through 29.0, allowing attackers to crash the server by flooding the /login endpoint.
You are affected if you are running OwnTone Server versions 28.4 through 29.0. Upgrade to version 29.1.0 or later to mitigate the risk.
Upgrade OwnTone Server to version 29.1.0 or later. As a temporary workaround, implement rate limiting on the /login endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the OwnTone Server release notes and security advisories on the official OwnTone website for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.