CVE-2026-23877 is a directory traversal vulnerability classified under CWE-25 and CWE-284 affecting the Swing Music self-hosted music player software. The vulnerability resides in the list_folders() function exposed via the /folder/dir-browser endpoint. Prior to version 2.1.4, this function does not properly sanitize user input, allowing authenticated users to manipulate the directory path parameter to traverse outside the intended music directories using sequences like '/../'. This enables attackers with valid credentials to access arbitrary directories on the underlying server filesystem. Although the vulnerability requires authentication, it does not require elevated privileges or user interaction beyond login. The exposure primarily risks confidentiality as attackers can read sensitive files outside the application scope but cannot modify or delete files. The CVSS 4.0 base score is 5.3 (medium severity) reflecting network attack vector, low attack complexity, and limited scope impact confined to confidentiality. No known exploits are currently reported in the wild. The issue is resolved in Swing Music version 2.1.4 by implementing proper input validation and path normalization to prevent directory traversal. Organizations running vulnerable versions should upgrade immediately to mitigate risk.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive server files if they use Swing Music versions prior to 2.1.4. Confidential information such as configuration files, credentials, or private data stored on the server could be exposed to any authenticated user, including non-admin personnel or potentially compromised accounts. This could facilitate further attacks or data breaches. While the vulnerability does not allow modification or deletion of files, the confidentiality breach alone can have regulatory and reputational consequences, especially under GDPR requirements. Organizations using Swing Music in environments with sensitive data or shared user access are particularly at risk. The impact is limited to confidentiality and requires authentication, reducing the likelihood of widespread exploitation but still necessitating prompt remediation.

1. Upgrade all instances of Swing Music to version 2.1.4 or later, which contains the patch for this vulnerability. 2. Restrict access to the Swing Music application to trusted users only and enforce strong authentication mechanisms to reduce risk of compromised accounts. 3. Implement network segmentation and firewall rules to limit access to the server hosting Swing Music, minimizing exposure. 4. Monitor application logs for unusual directory browsing activity indicative of exploitation attempts. 5. Conduct regular audits of server filesystem permissions to ensure sensitive directories are not unnecessarily exposed. 6. If upgrading immediately is not possible, consider disabling or restricting the /folder/dir-browser endpoint temporarily. 7. Educate users about the risks of credential compromise and enforce multi-factor authentication where feasible.