UBUNTU-CVE-2026-49128

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-49128

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-49128

Upstream

CVE-2026-49128

Published

2026-05-28T20:16:00Z

Modified

2026-06-03T11:26:16Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.

References

Affected packages

Ubuntu:16.04:LTS

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.19.10-1build1

0.19.11-1

0.19.12-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.19.12-1",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"

Ubuntu:18.04:LTS

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.20.9-2

0.20.9-2build2

0.20.11-1

0.20.11-1build1

0.20.13-1

0.20.17-1

0.20.18-1

0.20.18-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.20.18-1build1",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"

Ubuntu:20.04:LTS

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.21.13-1build1

0.21.13-1build2

0.21.16-1

0.21.16-1build1

0.21.16-1build2

0.21.20-1

0.21.20-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.21.20-1build1",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"

Ubuntu:22.04:LTS

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.22.6-1build1

0.23.3-2

0.23.5-1build1

0.23.5-1build2

0.23.5-1build3

0.23.5-1build4

0.23.5-1build5

0.23.5-1build7

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.23.5-1build7",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"

Ubuntu:24.04:LTS

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.23.12-1build3

0.23.14-1

0.23.14-2

0.23.14-2build1

0.23.14-2build3

0.23.14-2build4

0.23.14-2build5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.23.14-2build5",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"

Ubuntu:25.10

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.23.17-1build1

0.24.3-1

0.24.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.24.4-1",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"

Ubuntu:26.04:LTS

mpd

Package

Name: mpd
Purl: pkg:deb/ubuntu/mpd?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.24.4-1

0.24.6-1

0.24.6-1build1

0.24.6-1build2

0.24.6-1build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.24.6-1build3",
            "binary_name": "mpd"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49128.json"