ByteOS Network

NVD Vulnerability Details :

CVE-2026-41458

Received

Source-disclosure@vulncheck.com

Published At-22 Apr, 2026 | 03:16

Updated At-22 Apr, 2026 | 03:16

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.2	HIGH	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 8.2

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-362	Primary	disclosure@vulncheck.com

CWE ID: CWE-362

Type: Primary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22	disclosure@vulncheck.com	N/A
https://github.com/owntone/owntone-server/pull/1980	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login	disclosure@vulncheck.com	N/A