HIGHCVE-2026-41458Published 2026-04-22Modified 2026-05-25CNA VulnCheck

CVE-2026-41458: OwnTone Server < 29.1 Race Condition DoS via DAAP Login

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: 29.1.0
Affected Products: 1

Fix available

29.1.0dca94641a5ed66500822dd51281774794cdb6c22

Patch commits

github.com

Affected packages

owntone / owntone-server
< 29.1.0 (from 28.4.0)
Fixed in dca94641a5ed66500822dd51281774794cdb6c22

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

github.com
github.com
vulncheck.com

Metrics

Fix available