How is CVE-2026-49128 exploited?

Network reachability (required): The attacker must reach the MPD service over the network; the AV:N vector token confirms over-the-network exposure is the attack path. Authentication (not-required): No account or credential is needed; PR:N indicates the exploit works against an unauthenticated MPD connection. Victim interaction (not-required): No action from a logged-in user or administrator is required; UI:N means the attacker operates entirely without social engineering. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup beyond reaching the service.

What is the impact of CVE-2026-49128?

Reads file names, sizes, and modification timestamps of arbitrary directories accessible to the MPD process, bypassing the music_directory boundary. Reads raw image file content from any attacker-chosen directory outside the configured storage root via the albumart command. Exposes directory structure and file metadata that can be used to map the host filesystem layout for follow-on attacks.

Back to search

HIGHCVE-2026-49128Published 2026-05-28Modified 2026-05-29CNA VulnCheck

CVE-2026-49128: Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling

Q: What is CVE-2026-49128?

A path traversal vulnerability in Music Player Daemon (MPD) before version 0.24.11 allows an unauthenticated remote attacker to escape the configured music_directory by supplying URI strings containing '..' segments to the LocalStorage plugin. The CVSS vector indicates the service is reachable over the network with no authentication and no user interaction required. Successful exploitation gives the attacker read access to arbitrary directories and image files on disk that the MPD process can reach, exposing file names, sizes, modification timestamps, and image content outside the intended storage root. A patched-image rebuild at version 0.24.11 is available on HarborGuard for affected environments.

Q: How is CVE-2026-49128 fixed?

A patched-image rebuild at MPD 0.24.11 becomes available through HarborGuard once the fix version is matched against affected images. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal vulnerability in Music Player Daemon (MPD) before version 0.24.11 allows an unauthenticated remote attacker to escape the configured music_directory by supplying URI strings containing '..' segments to the LocalStorage plugin. The CVSS vector indicates the service is reachable over the network with no authentication and no user interaction required. Successful exploitation gives the attacker read access to arbitrary directories and image files on disk that the MPD process can reach, exposing file names, sizes, modification timestamps, and image content outside the intended storage root. A patched-image rebuild at version 0.24.11 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle MPD. Any image running an MPD version below 0.24.11 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (High) using the published v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. The finding is surfaced to the inbox or team configured for the affected workload within each customer organization.

Available

Patch

A patched-image rebuild at MPD 0.24.11 becomes available through HarborGuard once the fix version is matched against affected images. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MPD service over the network; the AV:N vector token confirms over-the-network exposure is the attack path.
AuthenticationNot required
No account or credential is needed; PR:N indicates the exploit works against an unauthenticated MPD connection.
Victim interactionNot required
No action from a logged-in user or administrator is required; UI:N means the attacker operates entirely without social engineering.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup beyond reaching the service.

Blast Radius

Reads file names, sizes, and modification timestamps of arbitrary directories accessible to the MPD process, bypassing the music_directory boundary.
Reads raw image file content from any attacker-chosen directory outside the configured storage root via the albumart command.
Exposes directory structure and file metadata that can be used to map the host filesystem layout for follow-on attacks.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49128 is active across all connected registries and pipelines, matching any image that ships MPD below 0.24.11 within minutes of scan. For customers who opt into auto-remediation, a rebuilt image at 0.24.11 is generated, a regression test run is executed, and a pull request is opened against affected workloads; median time from publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS 8.7 High score and remediation target attached. As an interim compensating control, network policy rules that restrict inbound access to the MPD port to trusted hosts only will reduce the exploitable surface while a rebuild is being reviewed.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 0.24.11
Affected Products: 1

Fix available

0.24.11

Patch commits

Affected packages

MusicPlayerDaemon / MPD
< 0.24.11 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available