CVE-2026-41458: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in owntone owntone-server
OwnTone Server versions 28. 4 through 29. 0 have a race condition vulnerability in the DAAP login handler. This flaw allows unauthenticated attackers to crash the server by sending concurrent requests to the DAAP /login endpoint, causing a denial of service. The issue arises from unsynchronized access to the global DAAP session list. No authentication is required to exploit this vulnerability. The vulnerability has a high severity score of 8. 2 but no official patch or remediation guidance has been provided yet.
AI Analysis
Technical Summary
CVE-2026-41458 is a race condition vulnerability (CWE-362) in the OwnTone Server's DAAP login handler affecting versions 28.4 through 29.0. The vulnerability results from improper synchronization when accessing the global DAAP session list, enabling unauthenticated attackers to trigger a denial of service by flooding the /login endpoint with concurrent requests. This leads to a server crash due to concurrent execution issues. The CVSS 4.0 score is 8.2, indicating high severity, with attack vector network, high attack complexity, no privileges or user interaction required, and high impact on availability. No patch or official remediation has been disclosed as of the published date.
Potential Impact
An attacker can remotely cause a denial of service condition on the OwnTone Server by exploiting a race condition in the DAAP login handler. This results in a server crash without requiring authentication, potentially disrupting service availability for legitimate users. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider limiting access to the DAAP /login endpoint or implementing rate limiting to reduce the risk of exploitation. Monitor for updates from the OwnTone project regarding patches or mitigations.
CVE-2026-41458: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in owntone owntone-server
Description
OwnTone Server versions 28. 4 through 29. 0 have a race condition vulnerability in the DAAP login handler. This flaw allows unauthenticated attackers to crash the server by sending concurrent requests to the DAAP /login endpoint, causing a denial of service. The issue arises from unsynchronized access to the global DAAP session list. No authentication is required to exploit this vulnerability. The vulnerability has a high severity score of 8. 2 but no official patch or remediation guidance has been provided yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41458 is a race condition vulnerability (CWE-362) in the OwnTone Server's DAAP login handler affecting versions 28.4 through 29.0. The vulnerability results from improper synchronization when accessing the global DAAP session list, enabling unauthenticated attackers to trigger a denial of service by flooding the /login endpoint with concurrent requests. This leads to a server crash due to concurrent execution issues. The CVSS 4.0 score is 8.2, indicating high severity, with attack vector network, high attack complexity, no privileges or user interaction required, and high impact on availability. No patch or official remediation has been disclosed as of the published date.
Potential Impact
An attacker can remotely cause a denial of service condition on the OwnTone Server by exploiting a race condition in the DAAP login handler. This results in a server crash without requiring authentication, potentially disrupting service availability for legitimate users. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider limiting access to the DAAP /login endpoint or implementing rate limiting to reduce the risk of exploitation. Monitor for updates from the OwnTone project regarding patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-20T16:07:47.310Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8366d19fe3cd2cd3e6dec
Added to database: 4/22/2026, 2:46:05 AM
Last enriched: 4/22/2026, 3:01:02 AM
Last updated: 4/22/2026, 3:49:55 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.