Denial of Service Vulnerability in Owntone Server by Owntone
CVE-2026-26828

7.5HIGH

Key Information:

Vendor: Owntone
Status: Owntone Server
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-26828?

A vulnerability exists within the Owntone Server that stems from a NULL pointer dereference in the daap_reply_playlists function. An attacker can exploit this flaw by sending a specially crafted DAAP request to the server, resulting in a denial of service condition. This issue poses a risk to availability by causing the server to crash or become unresponsive, thus limiting access for legitimate users. Users are advised to upgrade to the latest versions to mitigate this vulnerability.

References

https://github.com/owntone/owntone-server/issues/1961

https://github.com/owntone/owntone-server/commit/9ac54f0b...

https://github.com/archersec/security-advisories/blob/mas...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26828 Data

JSON