HIGH 7.5

CVE-2026-10108: Unauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability

xiaomusic version 0.5.7 contains an unauthenticated vulnerability that allows attackers to download files from anywhere on the server, not just the music directory. The flaw exists in how the application validates file paths when serving content. An attacker can craft special requests that bypass this validation to read sensitive files—such as configuration files, private keys, or application source code—without needing any credentials. The vulnerability affects any exposed xiaomusic instance running the affected version.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a path traversal flaw (CWE-22) in the GET /music/{file_path:path} endpoint of xiaomusic v0.5.7. The application attempts to restrict file access to a designated music directory but implements an incomplete prefix check: it compares the requested path against a music_path prefix without enforcing a trailing path separator. This allows an attacker to request files from sibling directories whose names start with the music_path string. For example, if the music directory is /app/music, an attacker could access /app/music_backup or /app/music-private by exploiting the missing separator in the comparison logic. The lack of authentication on this endpoint means no credentials are required to exploit it.

Business impact

An attacker exploiting this flaw can exfiltrate sensitive data stored on the xiaomusic server, including application configuration (which may contain API keys or database credentials), user data, private encryption keys, or source code. In environments where xiaomusic runs alongside other services or stores sensitive information, the blast radius extends beyond music files. This is particularly concerning if xiaomusic instances are exposed to the internet or accessible from untrusted networks. Data loss and credential compromise are direct risks.

Affected systems

xiaomusic v0.5.7 is affected. Organizations running this specific version with the vulnerable endpoint exposed should prioritize assessment. Check deployment logs and asset inventories to identify all instances. If your organization uses xiaomusic, verify the installed version immediately. Vendors_products data indicates no specific downstream products are listed in the CVE record, so the impact is limited to direct xiaomusic deployments.

Exploitability

This vulnerability is straightforward to exploit. It requires no authentication, no special user interaction, and no complex setup—just a standard HTTP GET request with a crafted path parameter. The attack is reliable across network conditions (network-accessible, low complexity). An attacker with network access to the xiaomusic instance can begin exfiltrating files within seconds. Public proof-of-concept information may accelerate weaponization, though the CVSS vector reflects the inherent ease of exploitation (AV:N/AC:L/PR:N/UI:N).

Remediation

Upgrade xiaomusic to a patched version that correctly implements path validation. The fix must enforce a trailing path separator in the prefix comparison to ensure only files under the intended music directory are accessible. Verify against the vendor's advisory for the minimum patched version. As an interim mitigation, restrict network access to xiaomusic instances using firewall rules, reverse proxy authentication, or IP whitelisting. Do not rely on network isolation as a permanent solution.

Patch guidance

Consult the xiaomusic project repository or vendor advisories for the available patched release. Apply the update to all affected v0.5.7 instances in your environment. Test the patch in a non-production environment first to ensure compatibility with your deployment. After patching, verify that the /music endpoint correctly rejects traversal attempts by testing access to files outside the music directory.

Detection guidance

Monitor HTTP access logs for suspicious GET requests to the /music endpoint containing path traversal sequences (../, ..\, encoded variants like %2e%2e%2f). Look for requests targeting sensitive file paths (e.g., /etc/passwd, /app/config, files with extensions like .key, .pem, .conf). Correlate failed authentication attempts or 403 responses with subsequent 200 responses to the same endpoint, which may indicate an attacker probing then successfully exploiting the flaw. Endpoint detection and response (EDR) tools should flag unexpected file read patterns from the xiaomusic process.

Why prioritize this

This is a HIGH severity vulnerability (CVSS 7.5) that requires prompt action. It combines a high attack surface (unauthenticated, network-accessible), trivial exploitation, and meaningful confidentiality impact. The lack of KEV status does not diminish urgency—the vulnerability is objectively easy to exploit and affects data confidentiality. Organizations with exposed xiaomusic instances should treat this as a critical priority for immediate patching or isolation.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), and high confidentiality impact (C:H) with no integrity or availability impact. The score appropriately penalizes the unauthenticated access and ease of exploitation, balanced against the fact that the attacker can only read files, not modify or disrupt the service.

Frequently asked questions

How can I determine if my xiaomusic deployment is vulnerable?

Check the version of xiaomusic running in your environment. The vulnerability affects v0.5.7 specifically. Review your deployment or package management system (pip, docker, git tags) to confirm the version. If you are running v0.5.7, assume exposure and prioritize patching or isolation immediately.

Can this vulnerability be exploited from the internet, or only from internal networks?

The vulnerability can be exploited from any network location that has connectivity to the xiaomusic instance. If xiaomusic is exposed on the internet or reachable from untrusted networks, the risk is immediate. Even internal deployments should be patched promptly, as insider threats and lateral movement by compromised systems can leverage this flaw.

What files are most at risk of being exfiltrated?

An attacker can read any file accessible by the user account running xiaomusic. High-value targets include: application configuration files (containing API keys, database passwords), .env files, private SSH or TLS keys, application source code, and user data. The scope depends on the file permissions of the xiaomusic process and what sensitive data is co-located on the same server.

Is there a workaround if I cannot patch immediately?

Implement network-level access controls: place xiaomusic behind a firewall, reverse proxy, or WAF that enforces authentication or IP whitelisting. Disable or remove the GET /music endpoint if music serving is not essential. These are temporary measures—plan patching as soon as feasible. Do not rely on obfuscation or hoping the endpoint is not discovered.

This analysis is based on the CVE record published on 2026-05-29 and last modified on 2026-06-17. Verify all patch versions and vendor guidance against official xiaomusic releases and advisories. This vulnerability has not been added to the CISA KEV catalog as of the analysis date. SEC.co provides this intelligence for informational purposes; organizations should conduct their own risk assessment and testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).