CVE-2026-2629 identifies a critical security weakness in the jishi node-sonos-http-api project, a popular Node.js-based API for controlling Sonos speakers. The vulnerability resides in the TTS (Text-To-Speech) Provider component, specifically within the Promise function of the lib/tts-providers/mac-os.js file. The flaw is due to improper sanitization or validation of the 'phrase' argument passed to this function, which is subsequently used in OS command execution contexts. This lack of input validation enables an attacker to inject arbitrary OS commands remotely, leading to command injection attacks. The vulnerability is exploitable over the network without requiring authentication or user interaction, making it highly accessible to attackers. The project follows a rolling release model, complicating version tracking and patch management, and as of the publication date, no official patch or response from the maintainers has been recorded. The public availability of exploit code further elevates the risk of exploitation. The CVSS 4.0 vector indicates a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This vulnerability can allow attackers to execute arbitrary commands on the host system, potentially leading to system compromise, data theft, or service disruption. The affected component is specifically relevant to macOS environments where TTS functionality is active within node-sonos-http-api deployments.

The primary impact of CVE-2026-2629 is the potential for remote attackers to execute arbitrary operating system commands on affected systems running node-sonos-http-api with the vulnerable TTS Provider component. This can lead to full system compromise, unauthorized data access or modification, and disruption of service availability. Since the vulnerability requires no authentication or user interaction, it significantly lowers the barrier for exploitation. Organizations using this API in smart home environments or integrated audio control systems may face risks including unauthorized control of devices, lateral movement within internal networks, and potential exposure of sensitive information. The public availability of exploit code increases the likelihood of automated attacks or exploitation by less skilled threat actors. The rolling release nature of the project complicates patch management, potentially prolonging exposure. Overall, the vulnerability poses a moderate to high risk to confidentiality, integrity, and availability of affected systems, especially in environments where node-sonos-http-api is exposed to untrusted networks or internet-facing interfaces.

To mitigate CVE-2026-2629, organizations should first identify all deployments of node-sonos-http-api, particularly those utilizing the TTS Provider on macOS systems. Until an official patch is released, consider disabling the TTS Provider component or restricting its usage to trusted internal networks only. Implement strict input validation and sanitization on the 'phrase' parameter at the application level to prevent injection of malicious commands. Employ network-level controls such as firewall rules or API gateways to limit access to the node-sonos-http-api service, allowing only authorized clients. Monitor logs for unusual command execution patterns or unexpected API requests targeting TTS functionality. Engage with the project maintainers or community to track patch releases and apply updates promptly once available. Additionally, consider containerizing or sandboxing the node-sonos-http-api service to limit the impact of potential exploitation. Regularly audit and update dependencies and conduct security reviews of custom integrations involving this API.