CVE-2026-41458

UNKNOWN 0.0

OwnTone Server < 29.1 Race Condition DoS via DAAP Login

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

CWE	CWE-362
Vendor	owntone
Product	owntone-server
Published	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for owntone owntone-server

Be the first to know when new unknown vulnerabilities affecting owntone owntone-server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

owntone / owntone-server

28.7.0 < 29.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/owntone/owntone-server/pull/1980 github.com: https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22 vulncheck.com: https://www.vulncheck.com/advisories/owntone-server-race-condition-dos-via-daap-login

Credits

Younghyo Cho @ CIS Lab., Seoultech.