How is CVE-2026-50234 exploited?

Network reachability (required): The attacker must reach the Lyrion Music Server web interface over the network; no local access or special positioning is needed beyond TCP reachability to the service port. Authentication (not-required): No credentials are required; the path traversal endpoint is accessible to any unauthenticated client that can reach the service. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user of the affected server. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, specific memory layout, or environmental prerequisites are needed to read arbitrary files.

What is the impact of CVE-2026-50234?

Reads arbitrary files from the host filesystem, including application configuration files that may contain database credentials, API keys, or service account tokens. Reads OS-level files such as /etc/passwd or private key material stored on disk, which can be used to pivot to further compromise. Leaks the full directory structure of the host, giving an attacker a detailed map of installed software and data paths for follow-on attacks.

Back to search

HIGHCVE-2026-50234Published 2026-06-05Modified 2026-06-05CNA VulnCheck

CVE-2026-50234: Lyrion Music Server 9.2.0 Path Traversal File Read

Lyrion Music Server 9.2.0 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting directory traversal in the web server context. Attackers can manipulate file path parameters to access sensitive files outside the intended directory structure.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Lyrion Music Server 9.2.0 allows unauthenticated attackers to read arbitrary files from the host filesystem by manipulating file path parameters in the server's web interface. The vulnerability is reachable over the network and requires no credentials, making it trivially accessible to any attacker who can reach the service. Successful exploitation allows an attacker to read sensitive files outside the intended directory, including configuration files, credentials, and other data stored on the host. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as upstream publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50234 is available across all HarborGuard environments, with the CVE ingested from upstream feeds and matched against customer images within minutes of publication. This matching covers both base images pulled from public registries and custom-built images pushed through customer CI pipelines.

Available

Triage

HarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each customer environment's compliance policy to surface priority and routing appropriate to the customer's risk posture. Triage results are routed to the team or inbox configured in each customer org's notification settings.

Available

Patch

Because no upstream fix version has been published for CVE-2026-50234, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version appears upstream.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Lyrion Music Server web interface over the network; no local access or special positioning is needed beyond TCP reachability to the service port.
AuthenticationNot required
No credentials are required; the path traversal endpoint is accessible to any unauthenticated client that can reach the service.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user of the affected server.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layout, or environmental prerequisites are needed to read arbitrary files.

Blast Radius

Reads arbitrary files from the host filesystem, including application configuration files that may contain database credentials, API keys, or service account tokens.
Reads OS-level files such as /etc/passwd or private key material stored on disk, which can be used to pivot to further compromise.
Leaks the full directory structure of the host, giving an attacker a detailed map of installed software and data paths for follow-on attacks.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50234 is active across all environments scanning images that include Lyrion Music Server 9.2.0. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger patched-image rebuild availability the moment a fix version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will fire automatically without manual intervention. While awaiting an upstream fix, recommended compensating controls include isolating affected containers behind a network policy that restricts inbound access to the Lyrion Music Server web port to trusted source addresses only, applying egress filtering to prevent the server from being used as a pivot point, and auditing what sensitive files are present on the container filesystem to reduce exposure if the vulnerability is triggered.

See how HarborGuard automates this

Affected packages

LMS Community / Lyrion Music Server
9.2.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified