CVE-2026-26975: CWE-73: External Control of File Name or Path in music-assistant server
Music Assistant server versions 2.6.3 and below contain a vulnerability allowing unauthenticated network-adjacent attackers to execute arbitrary code. The issue arises from the music/playlists/update API, which permits bypassing the . m3u extension enforcement and writing files anywhere on the filesystem. Because the container runs as root, attackers can write malicious . pth files into the Python site-packages directory, leading to remote code execution when Python loads these files. This vulnerability is fixed in version 2.7.0.
AI Analysis
Technical Summary
CVE-2026-26975 is an external control of file name or path vulnerability (CWE-73) in the Music Assistant server prior to version 2.7.0. The music/playlists/update API does not properly enforce file extension restrictions, allowing attackers to write arbitrary files to the filesystem. Running the server container as root exacerbates the issue, enabling attackers to place malicious .pth files in the Python site-packages directory. These files execute arbitrary code when Python imports modules, resulting in remote code execution. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, and affects versions below 2.7.0. The issue is resolved in version 2.7.0.
Potential Impact
Successful exploitation allows unauthenticated attackers with network adjacency to execute arbitrary code on the affected system with root privileges. This can lead to full system compromise, data loss, or service disruption. The high CVSS score reflects the critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade Music Assistant server installations to version 2.7.0 or later, where this vulnerability is fixed. Running the container as a non-root user can reduce risk but does not replace applying the official fix. Patch status is confirmed fixed in version 2.7.0.
CVE-2026-26975: CWE-73: External Control of File Name or Path in music-assistant server
Description
Music Assistant server versions 2.6.3 and below contain a vulnerability allowing unauthenticated network-adjacent attackers to execute arbitrary code. The issue arises from the music/playlists/update API, which permits bypassing the . m3u extension enforcement and writing files anywhere on the filesystem. Because the container runs as root, attackers can write malicious . pth files into the Python site-packages directory, leading to remote code execution when Python loads these files. This vulnerability is fixed in version 2.7.0.
CVSS v3.1
Score 8.8high
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-26975 is an external control of file name or path vulnerability (CWE-73) in the Music Assistant server prior to version 2.7.0. The music/playlists/update API does not properly enforce file extension restrictions, allowing attackers to write arbitrary files to the filesystem. Running the server container as root exacerbates the issue, enabling attackers to place malicious .pth files in the Python site-packages directory. These files execute arbitrary code when Python imports modules, resulting in remote code execution. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, and affects versions below 2.7.0. The issue is resolved in version 2.7.0.
Potential Impact
Successful exploitation allows unauthenticated attackers with network adjacency to execute arbitrary code on the affected system with root privileges. This can lead to full system compromise, data loss, or service disruption. The high CVSS score reflects the critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade Music Assistant server installations to version 2.7.0 or later, where this vulnerability is fixed. Running the container as a non-root user can reduce risk but does not replace applying the official fix. Patch status is confirmed fixed in version 2.7.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-16T22:20:28.612Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6997b28bd7880ec89b4763b0
Added to database: 02/20/2026, 01:02:03 UTC
Last enriched: 05/26/2026, 20:26:02 UTC
Last updated: 07/09/2026, 21:29:20 UTC
Views: 193
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.