CVE-2026-49128 is a path traversal vulnerability in Music Player Daemon (MPD) prior to version 0.24.11. The issue exists in the local storage plugin functions LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8, where the on-disk path is constructed by concatenating the storage root with a user-supplied URI without canonicalizing the path. This allows '..' segments to persist and be resolved by the kernel during file operations, enabling unauthorized directory traversal. An unauthenticated attacker can exploit this by issuing the listfiles command to enumerate arbitrary directory contents and the albumart command to read image files outside the configured music directory.

An unauthenticated attacker can enumerate file names, sizes, and modification times of arbitrary directories accessible by the MPD process and read image files from any directory outside the configured music directory. This exposure can lead to unauthorized disclosure of sensitive information stored on the system where MPD runs. The CVSS 4.0 base score is 8.7, indicating high severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions before 0.24.11, upgrading to version 0.24.11 or later is likely the intended remediation once officially released. Until a patch is confirmed, restrict network access to the MPD service and monitor for suspicious commands related to listfiles and albumart. Avoid exposing MPD to untrusted networks.