SQL Injection Flaw in OwnTone Server Affects Multiple Versions
CVE-2026-41457

6.9MEDIUM

Key Information:

Vendor: Owntone
Status: Owntone-server
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-41457?

The OwnTone Server versions 28.4 to 29.0 exhibit a SQL injection vulnerability in the handling of DAAP query and filter parameters. Attackers can exploit this weakness by injecting malicious SQL expressions through the query= and filter= parameters associated with integer-mapped DAAP fields. This vulnerability stems from insufficient sanitization processes that permit unauthorized access to sensitive media library data. It underscores the importance of securing user inputs to prevent data breaches.

Affected Version(s)

owntone-server 28.4.0 < 29.1.0

owntone-server d4784ebf2099ed1a4203333aee957e5c7553c217

References

https://github.com/owntone/owntone-server/commit/d4784ebf...

patch

https://www.vulncheck.com/advisories/owntone-server-sql-i...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Younghyo Cho @ CIS Lab., Seoultech.

CVE-2026-41457 Data

JSON

Owntone

What is CVE-2026-41457?

Affected Version(s)

References

CVSS V4

Timeline

Credit