How is CVE-2026-10108 exploited?

Network reachability (required): The attacker must reach the xiaomusic HTTP service over the network (AV:N); any environment exposing the /music endpoint to untrusted networks is in scope. Authentication (not-required): PR:N: the endpoint accepts unauthenticated requests, so no credentials or session are needed. Victim interaction (not-required): UI:N: exploitation is a direct HTTP request and does not require any user to click or open anything. Attack complexity (info): AC:L: the exploit is a single crafted path string against a known endpoint, with no race conditions or environmental prerequisites.

What is the impact of CVE-2026-10108?

Reads arbitrary files outside the music directory that are accessible to the xiaomusic process, including configuration files, credentials, tokens, and other application data on the same filesystem. Enables reconnaissance of the host (for example /etc/passwd, environment files, mounted secrets) that can seed follow-on attacks against adjacent services. No integrity or availability impact from this flaw on its own (VI:N/VA:N): the server is not modified or crashed by the traversal itself.

Back to search

HIGHCVE-2026-10108Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-10108: xiaomusic 0.5.7 Path Traversal via GET /music endpoint

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthenticated path traversal vulnerability affects xiaomusic through version 0.5.7 in the GET /music/{file_path:path} endpoint. The flaw is reachable over the network without authentication or user interaction: an incomplete prefix check (missing trailing separator) lets an attacker craft traversal sequences that escape the music directory and read arbitrary files the server process can access. No upstream fix has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as one is available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the xiaomusic advisory is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle xiaomusic at or below 0.5.7. Image-layer and package-manifest analysis flag affected builds regardless of whether xiaomusic was installed from a package or vendored into the image.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High) applied as the baseline, then weighted by each customer's compliance policy (for example, internet-exposed media services or images handling sensitive volumes are escalated). Findings route to the inbox configured for the owning team inside each customer org so the right responders see it first.

Available

Patch

No upstream fix version exists yet, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment hanxi/xiaomusic publishes a fixed release. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads as soon as the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the xiaomusic HTTP service over the network (AV:N); any environment exposing the /music endpoint to untrusted networks is in scope.
AuthenticationNot required
PR:N: the endpoint accepts unauthenticated requests, so no credentials or session are needed.
Victim interactionNot required
UI:N: exploitation is a direct HTTP request and does not require any user to click or open anything.
Attack complexityDetail
AC:L: the exploit is a single crafted path string against a known endpoint, with no race conditions or environmental prerequisites.

Blast Radius

Reads arbitrary files outside the music directory that are accessible to the xiaomusic process, including configuration files, credentials, tokens, and other application data on the same filesystem.
Enables reconnaissance of the host (for example /etc/passwd, environment files, mounted secrets) that can seed follow-on attacks against adjacent services.
No integrity or availability impact from this flaw on its own (VI:N/VA:N): the server is not modified or crashed by the traversal itself.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of CVE-2026-10108 against every image containing xiaomusic at or below 0.5.7, with High-severity findings routed to the owning team. Until an upstream fix is published, compensating-control guidance is surfaced alongside the finding: restrict network exposure of the /music endpoint via network policy or an authenticated reverse proxy, run the xiaomusic process under a dedicated low-privilege user with a tightly scoped filesystem view (no shared secrets on the same volume), and consider feature-flag gating or removal of the endpoint in builds that do not need it. The advisory is re-checked on every ingest cycle, and once hanxi/xiaomusic ships a fixed release, a patched-image rebuild becomes available automatically; environments with auto-remediation enabled then receive a rebuild, a regression test run, and a PR opened against affected workloads without further action.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

hanxi / xiaomusic
≤ 0.5.7 · ≤ 88404da7a283f2c0a796a4cd16bbb6e6aa1f4722

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References