CVE-2026-49128

Name of the Vulnerable Software and Affected Versions Music Player Daemon (MPD) versions prior to 0.24.11

Description A path traversal issue exists within the local storage plugin in the functions LocalStorage::MapFSOrThrow() and LocalStorage::MapUTF8(). The flaw occurs because the on-disk path is created by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to remain in the resolved path. An unauthenticated attacker can use the 'listfiles' command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, or the 'albumart' command to read image files in any directory outside the configured music directory.

Recommendations Update to version 0.24.11 or later.