CVE-2026-49129

Name of the Vulnerable Software and Affected Versions Music Player Daemon (MPD) versions prior to 0.24.11

Description A server-side request forgery (SSRF) issue exists in the CurlInputPlugin. The CURLOPT FOLLOWLOCATION option is enabled without specifying CURLOPT REDIR PROTOCOLS STR, which allows unauthenticated attackers to bypass http/https scheme restrictions. By using a malicious HTTP server to redirect requests to non-HTTP protocols—such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp—attackers can interact with internal or restricted network services. This is possible on systems using libcurl versions prior to 7.85.0. The issue can be triggered via MPD commands that initiate URL fetches, specifically add, readcomments, albumart, readpicture, or load.

Recommendations Update to version 0.24.11 or later.