Race Condition Vulnerability in OwnTone Server Affects DAAP Login Handler
CVE-2026-41458

8.2HIGH

Key Information:

Vendor: Owntone
Status: Owntone-server
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-41458?

The OwnTone Server, specifically versions 28.4 to 29.0, contains a race condition vulnerability in the DAAP login handler. This flaw allows unauthenticated attackers to initiate a denial of service attack by bombarding the DAAP /login endpoint with numerous concurrent requests, leading to potential server crashes. The issue arises from unsynchronized access to the global DAAP session list, which can be exploited without the need for authentication.

Affected Version(s)

owntone-server 28.7.0 < 29.1.0

owntone-server dca94641a5ed66500822dd51281774794cdb6c22

References

https://github.com/owntone/owntone-server/pull/1980

issue-tracking

https://github.com/owntone/owntone-server/commit/dca94641...

patch

https://www.vulncheck.com/advisories/owntone-server-race-...

third-party-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Younghyo Cho @ CIS Lab., Seoultech.

CVE-2026-41458 Data

JSON

Owntone

What is CVE-2026-41458?

Affected Version(s)

References

CVSS V4

Timeline

Credit