Ghostwire

CVE-2026-41458: OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows...

MEDIUM CVSS 0.0 Exploit Available

Published: April 22, 2026 | Last Modified: April 22, 2026

Description

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

Ghostwire Analysis — What This Means Practically

Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References

github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c2
github.com/owntone/owntone-server/pull/1980
www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login
www.tenable.com/cve/CVE-2026-41458
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-41458