CVE-2026-50233: Lyrion Music Server 9.2.0 Arbitrary Directory Enumeration Vulnerability
Lyrion Music Server version 9.2.0 has a flaw that allows attackers to browse any folder on the server's hard drive without authentication or permission. The vulnerability exists in a directory-listing function exposed through both a command-line service and a web interface. An attacker on the network can exploit this to discover sensitive files and system information, potentially uncovering credentials, configuration details, or other valuable data stored on the host.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-548
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50233 is an arbitrary directory enumeration vulnerability affecting Lyrion Music Server 9.2.0. The readdirectory query parameter fails to enforce access controls, permitting unauthenticated remote users to list directory contents outside the intended media library scope. The vulnerability is exposed via two attack surfaces: the CLI service listening on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js. The server does not restrict queries to configured media directories by default, and the absence of authentication in the default configuration means any network-adjacent attacker can invoke the vulnerable function.
Business impact
Organizations deploying Lyrion Music Server 9.2.0 in network environments face information disclosure risk. Attackers can enumerate filesystem structure, locate sensitive files (such as configuration databases, private keys, or customer data), and use discovered paths as reconnaissance for follow-on attacks. This is particularly concerning if the music server shares a host with other applications or services, or if the underlying system contains non-media business data. The low barrier to exploitation—no authentication required—means the attack surface is broad.
Affected systems
Lyrion Music Server version 9.2.0 is affected. The vulnerability is exposed by default through both the CLI service (port 9090) and the HTTP JSON-RPC interface (/jsonrpc.js). Systems running this version on network-accessible hosts are at risk if default configurations are in place. Later versions or patched releases from the vendor should be consulted to determine if mitigation or patches are available.
Exploitability
Exploitation is straightforward and requires no authentication. An attacker with network access to either the CLI port (9090) or the HTTP endpoint can craft directory-listing queries using the readdirectory parameter to enumerate arbitrary paths. The CVSS 3.1 score of 5.3 (Medium) reflects the low complexity, network accessibility, and absence of required privileges; impact is limited to confidentiality (information disclosure) with no direct integrity or availability consequences. However, the reconnaissance value should not be underestimated—filesystem enumeration is often a precursor to privilege escalation or lateral movement attacks.
Remediation
Immediate actions include upgrading Lyrion Music Server to a patched version released by the vendor after the modification date of 2026-06-17. Verify against the vendor's official advisory for the specific version number. As an interim measure, restrict network access to port 9090 and the HTTP JSON-RPC endpoint using firewall rules, limiting access to trusted clients only. Enable authentication in the server configuration if available. Consider deploying the application in a network segment isolated from sensitive systems or data.
Patch guidance
Consult the Lyrion Music Server vendor advisory for patch availability and recommended upgrade paths from version 9.2.0. Apply patches in a test environment before production deployment to ensure compatibility with your deployment and any customizations. Monitor vendor release notes and security announcements for this product going forward.
Detection guidance
Monitor network logs for repeated requests to /jsonrpc.js or TCP port 9090 with readdirectory parameters, especially from untrusted sources. Web application firewalls (WAF) can be configured to detect and block JSON-RPC queries that invoke readdirectory with suspicious path traversal indicators. Inspect server logs for enumeration patterns: rapid successive queries targeting common system directories (/etc, /home, /var, /root, Windows equivalents) may indicate active exploitation. Baseline normal API usage and alert on deviations.
Why prioritize this
Although the CVSS score is Medium (5.3), prioritize patching based on network exposure and the presence of sensitive data. If the music server is internet-facing or accessible from untrusted networks, elevate priority. If it runs in an isolated LAN with strong egress monitoring, the risk is lower but should not be deferred. Information disclosure vulnerabilities are often chained with other flaws; removing this reconnaissance vector reduces overall attack surface.
Risk score, explained
The CVSS 3.1 score of 5.3 (Medium severity) reflects Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, and limited impact to Confidentiality. The score appropriately captures the ease of exploitation and the information disclosure risk but does not account for the strategic value of reconnaissance in multi-stage attacks. Organizations should weigh the actual sensitivity of data on affected hosts when determining internal prioritization.
Frequently asked questions
Can this vulnerability be exploited remotely from the Internet?
Yes, if the Lyrion Music Server is accessible from the Internet (port 9090 or HTTP endpoint exposed). However, an attacker also needs network access to reach the server. If the service is behind a properly configured firewall or NAT, and only accessible from your internal network, the threat surface is reduced but not eliminated.
Does disabling the CLI service prevent exploitation?
Disabling the CLI service on port 9090 closes one attack vector, but the HTTP JSON-RPC endpoint (/jsonrpc.js) remains vulnerable by default. Both surfaces must be secured—either by patching, restricting network access, or enabling authentication.
Can attackers access actual file contents, or just list directories?
This vulnerability permits directory enumeration only. Attackers can see folder structures and filenames, but the vulnerability itself does not allow reading file contents. However, the directory listing can reveal sensitive information (e.g., usernames, application paths, configuration structures) useful for further attacks.
What is the difference between this vulnerability and a path traversal flaw?
Path traversal typically allows an attacker to access files outside the intended directory by using sequences like '../'. This flaw is directory enumeration: it removes the boundary that restricts queries to the media library, but does not require traversal sequences. The attacker can directly query any path the server process can access.
This analysis is based on the published CVE details and vendor information current as of June 2026. Patch availability, version numbers, and remediation steps should be verified against the official Lyrion Music Server vendor advisory and security releases. Testing patches in a controlled environment before production deployment is essential. SEC.co provides this analysis for informational purposes to help security teams prioritize and contextualize risk; it does not constitute a guarantee of security or freedom from liability. Organizations are responsible for assessing their own exposure and implementing appropriate controls. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability