{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41458", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-22T01:46:28.142Z", "dateUpdated": "2026-04-22T18:06:24.028Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T01:46:28.142Z"}, "title": "OwnTone Server < 29.1 Race Condition DoS via DAAP Login", "datePublic": "2026-03-08T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "affected": [{"vendor": "owntone", "product": "owntone-server", "repo": "https://github.com/owntone/owntone-server", "versions": [{"status": "affected", "version": "28.7.0", "lessThan": "29.1.0", "versionType": "semver"}, {"status": "unaffected", "version": "dca94641a5ed66500822dd51281774794cdb6c22", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.<br>"}]}], "references": [{"url": "https://github.com/owntone/owntone-server/pull/1980", "tags": ["issue-tracking"]}, {"url": "https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Younghyo Cho @ CIS Lab., Seoultech.", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:06:07.619094Z", "id": "CVE-2026-41458", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:06:24.028Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41458", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:06:07.619094Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:06:13.339Z"}}], "cna": {"title": "OwnTone Server < 29.1 Race Condition DoS via DAAP Login", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Younghyo Cho @ CIS Lab., Seoultech."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/owntone/owntone-server", "vendor": "owntone", "product": "owntone-server", "versions": [{"status": "affected", "version": "28.7.0", "lessThan": "29.1.0", "versionType": "semver"}, {"status": "unaffected", "version": "dca94641a5ed66500822dd51281774794cdb6c22", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-08T16:00:00.000Z", "references": [{"url": "https://github.com/owntone/owntone-server/pull/1980", "tags": ["issue-tracking"]}, {"url": "https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.", "supportingMedia": [{"type": "text/html", "value": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T01:46:28.142Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41458", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:06:24.028Z", "dateReserved": "2026-04-20T16:07:47.310Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-22T01:46:28.142Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication."}], "id": "CVE-2026-41458", "lastModified": "2026-04-22T21:21:26.840", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T03:16:01.067", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/owntone/owntone-server/pull/1980"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.7.0,29.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "dca94641a5ed66500822dd51281774794cdb6c22"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "server", "vendor": "owntone"}], "analysis": {"en": {"generated_at": "2026-04-22T04:22:09.559271+00:00", "value": {"mitigation_remediation": ["Upgrade Owntone Server to version 29.1 or later to apply the fixed DAAP login handler.", "If an upgrade is not immediately possible, apply the patch from commit dca94641a5ed66500822dd51281774794cdb6c22 that synchronizes access to the global DAAP session list.", "Use firewall or reverse\u2011proxy rate\u2011limiting to restrict the number of concurrent requests to the /login endpoint, mitigating the risk of a DoS attack."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Owntone Server versions 28.4 through 29.0 are affected. The issue does not apply to version 29.1 or later, which contain the fix.", "description_and_impact": "A race condition exists in the DAAP login handler of Owntone Server that allows an unauthenticated attacker to crash the server. The flaw arises from unsynchronized access to a global DAAP session list when multiple concurrent login requests are processed at the same time. Exploiting this race condition causes the server to terminate unexpectedly, resulting in a denial of service.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.2, indicating a high severity. The EPSS score is not available, but the high CVSS suggests a notable risk of exploitation. Attackers can trigger the condition by flooding the /login endpoint with simultaneous requests; no authentication is required. The vulnerability is not listed in the CISA KEV catalog, but its impact as a remote denial of service remains significant."}}}}, "created": "2026-04-22T04:30:05.298563+00:00", "updated": "2026-04-22T11:44:51.721391+00:00", "vendors": ["owntone", "owntone$PRODUCT$server"]}