OwnTone Server < 29.1 Race Condition DoS via DAAP Login

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

Basic Information

ID CVE-2026-41458

Source VulnCheck

Published Apr 22, 2026 at 01:46

Affected Product

Vendor owntone

Product owntone-server

Version 28.7.0

Affected Versions owntone owntone-server 28.7.0

CWE Classification

CWE-362

References

{
    "lastseen": "",
    "description": "OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.",
    "published": "2026-04-22T01:46:28.142Z",
    "modified": "2026-04-22T01:46:28.142Z",
    "type": "cve",
    "title": "OwnTone Server < 29.1 Race Condition DoS via DAAP Login",
    "source": "VulnCheck",
    "references": "https://github.com/owntone/owntone-server/pull/1980\nhttps://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22\nhttps://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login",
    "id": "CVE-2026-41458",
    "bulletinFamily": "",
    "cwe": [
        "CWE-362"
    ],
    "cvelist": null,
    "sourceData": "owntone owntone-server 28.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "owntone-server",
    "version": "28.7.0",
    "vendor": "owntone",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OwnTone Server < 29.1 Race Condition DoS via DAAP Login_CVE-2026-41458