Vulnerability in Owntone Owntone-server

CVE-2026-41458

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attac…

Vulnerability class: Race Condition

EPSS: 0.004 (58.0th percentile) — read the EPSS interpretation.

Affected products

Owntone Owntone-server — versions dca94641a5ed66500822dd51281774794cdb6c22, 28.7.0, 28.4.0

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

github.com/owntone/owntone-server/pull/1980 (issue-tracking)
github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c… (patch)
www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login (third-party-advisory)