HIGH 7.5

CVE-2026-50234: Lyrion Music Server 9.2.0 Path Traversal Vulnerability (7.5 CVSS)

Lyrion Music Server version 9.2.0 has a path traversal flaw that lets attackers read files they shouldn't have access to. Because the vulnerability doesn't require authentication and can be exploited over the network with minimal complexity, an attacker can craft requests to step outside the intended directory and retrieve sensitive system or application files. The flaw affects confidentiality but does not enable attackers to modify files or disrupt service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Lyrion Music Server 9.2.0 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting directory traversal in the web server context. Attackers can manipulate file path parameters to access sensitive files outside the intended directory structure.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-50234 is a CWE-22 path traversal vulnerability in Lyrion Music Server 9.2.0. The web server context fails to properly validate or sanitize file path parameters, allowing directory traversal sequences (such as ../ notation) to escape the intended directory scope. Unauthenticated network attackers can exploit this with low attack complexity to achieve high-impact information disclosure. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a score of 7.5 (HIGH severity).

Business impact

Unauthorized access to arbitrary files exposes sensitive data such as configuration files, API keys, database credentials, user information, or other intellectual property stored on the affected server. This can lead to lateral movement, credential compromise, and further attacks on related systems. Depending on the files accessible, attackers may obtain enough information to bypass additional security controls or establish persistence. The lack of authentication requirement significantly increases the threat surface.

Affected systems

Lyrion Music Server 9.2.0 is confirmed affected. Organizations running this version in any deployment context—whether public-facing or internal—are at risk. The vulnerability applies across network-accessible instances regardless of deployment environment (cloud, on-premises, containerized).

Exploitability

Exploitation is straightforward: the attack requires only network access and a crafted HTTP request with manipulated path parameters. No authentication, special tools, or user interaction are necessary. The simplicity of exploitation, combined with the network-accessible nature of music server applications, means this vulnerability can be rapidly weaponized. No evidence of in-the-wild exploitation has been reported as of the current date, but the low barrier to exploitation makes active discovery and attempts likely.

Remediation

Upgrade Lyrion Music Server to a patched version released after 9.2.0 that addresses path traversal validation. Verify the vendor advisory for the specific patch version number and confirm its availability for your deployment. Until patching is possible, implement network-level controls: restrict direct access to the music server's web interface to trusted IP ranges, deploy a Web Application Firewall (WAF) with path traversal detection rules, and monitor for suspicious file access patterns in web server logs.

Patch guidance

Check the Lyrion project's official advisory and release notes for the patched version addressing CVE-2026-50234. Apply the update in a test environment first to confirm compatibility with your configuration. If running containerized instances, rebuild images with the patched version and redeploy. If a patch is not yet available, contact the vendor for an expected release timeline and consider temporary mitigation strategies.

Detection guidance

Monitor web server access logs for requests containing path traversal sequences (../, ..\ or encoded variants like %2e%2e%2f). Search for unusual file access attempts targeting sensitive locations such as /etc/, /proc/, /var/log/, or configuration directories. Endpoint Detection and Response (EDR) tools should flag any abnormal file read operations originating from the music server process. Network-based detection can identify attempts to access suspicious file paths through the web service's normal API endpoints.

Why prioritize this

Although not yet listed on the CISA KEV catalog, this vulnerability warrants immediate prioritization due to its HIGH CVSS score (7.5), unauthenticated attack vector, and low complexity of exploitation. The direct exposure of file read capabilities creates a clear and present information disclosure risk. Music server applications are often internet-facing or accessible within internal networks, increasing real-world attack likelihood. The publication date of June 2026 means awareness among threat actors is expected to grow rapidly.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects the combination of network-based attack vector (AV:N), no authentication requirement (PR:N), low attack complexity (AC:L), and high confidentiality impact (C:H) against an unchanged security scope. Integrity and availability are not affected, keeping the score from reaching CRITICAL. However, the practical ease of exploitation and the sensitivity of files typically accessible to web servers justify treating this as a critical-priority patch.

Frequently asked questions

Can this vulnerability be exploited if the music server is behind a firewall or not directly internet-facing?

Yes. Any network path that reaches the web server—whether from the internet, internal network, or VPN—is exploitable. A music server behind a firewall accessible only to internal users is still at risk from compromised internal hosts or malicious insiders.

What files are most at risk of being leaked?

Configuration files (database credentials, API keys), application source code, system files (/etc/passwd, environment files), web server logs, and any data stored in the application directory or above. The attacker can enumerate and read any file the web server process has permission to access.

Is there a workaround if we cannot patch immediately?

Network segmentation is the primary interim control. Restrict network access to the music server to only authorized users and systems using firewall rules or network segmentation. Deploy a WAF rule set to block requests with path traversal patterns. Monitor logs aggressively. However, these are not substitutes for patching; treat them as temporary measures only.

Why is this not on the CISA KEV list yet?

The KEV catalog is updated based on evidence of active exploitation in the wild. This vulnerability may not yet have sufficient public evidence of weaponization or coordinated attacks. However, lack of KEV status does not indicate lower risk; the CVSS score and technical characteristics make it exploitable and dangerous.

This analysis is provided for informational and defensive security purposes only. Patch version numbers and vendor-specific guidance should be verified directly against official Lyrion Music Server advisories before deployment. No exploit code or weaponized proof-of-concept is included or endorsed. Organizations should conduct their own risk assessment and testing in non-production environments before applying patches. SEC.co does not warrant the completeness or accuracy of external vendor advisories and recommends direct consultation with Lyrion support for deployment-specific questions. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).