{"id":"CVE-2026-26975","summary":"Music Assistant Server Path Traversal in Playlist Update API Allows Remote Code Execution","details":"Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass the .m3u extension enforcement and write files anywhere on the filesystem, which is exacerbated by the container running as root. This can be exploited to achieve Remote Code Execution by writing a malicious .pth file to the Python site-packages directory, which will execute arbitrary commands when Python loads. This issue has been fixed in version 2.7.0.","aliases":["GHSA-7jcc-p6xr-835j"],"modified":"2026-04-10T05:38:20.151855Z","published":"2026-02-20T00:49:03.306Z","database_specific":{"cwe_ids":["CWE-22","CWE-434","CWE-73"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26975.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/music-assistant/server/releases/tag/2.7.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26975.json"},{"type":"ADVISORY","url":"https://github.com/music-assistant/server/security/advisories/GHSA-7jcc-p6xr-835j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26975"},{"type":"FIX","url":"https://github.com/music-assistant/server/pull/2684"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/music-assistant/server","events":[{"introduced":"0"},{"fixed":"6d279fa5ff04987db62278857851ea5f84f551d8"}]}],"versions":["0.0.14","0.0.15","0.0.16","0.0.18","0.0.20","0.0.21","0.0.22","0.0.23","0.0.24","0.0.25","0.0.26","0.0.27","0.0.28","0.0.30","0.0.31","0.0.32","0.0.33","0.0.34","0.0.35","0.0.36","0.0.37","0.0.38","0.0.39","0.0.40","0.0.41","0.0.42","0.0.43","0.0.44","0.0.45","0.0.46","0.0.47","0.0.48","0.0.49","0.0.50","0.0.51","0.0.52","0.0.53","0.0.54","0.0.55","0.0.56","0.0.57","0.0.58","0.0.59","0.0.61","0.0.62","0.0.63","0.0.64","0.0.65","0.0.66","0.0.67","0.0.68","0.0.69","0.0.70","0.0.71","0.0.72","0.0.73","0.0.74","0.0.75","0.0.76","0.0.77","0.0.78","0.0.79","0.0.80","0.0.81","0.0.82","0.0.83","0.0.84","0.0.85","0.0.86","0.0.87","0.1.0","0.1.1","0.1.10","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.8","0.1.9","0.2.0","0.2.1","0.2.10","0.2.11","0.2.12","0.2.13","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.2.9","1.0.0","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.20","1.0.21","1.0.22","1.0.23","1.0.25","1.0.26","1.0.29","1.0.30","1.0.31","1.0.32","1.0.33","1.0.34","1.0.35","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.1.0","1.1.10","1.1.11","1.1.12","1.1.13","1.1.15","1.1.16","1.1.17","1.1.18","1.1.19","1.1.2","1.1.20","1.1.22","1.1.23","1.1.24","1.1.3","1.1.5","1.1.6","1.1.7","1.1.8","1.2.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.10","1.4.11","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.5.0","1.6.0","1.6.1","1.6.2","1.6.4","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","2.0.0","2.0.0b0","2.0.0b10","2.0.0b100","2.0.0b101","2.0.0b102","2.0.0b104","2.0.0b105","2.0.0b106","2.0.0b107","2.0.0b108","2.0.0b109","2.0.0b110","2.0.0b111","2.0.0b112","2.0.0b113","2.0.0b114","2.0.0b115","2.0.0b116","2.0.0b117","2.0.0b118","2.0.0b119","2.0.0b12","2.0.0b120","2.0.0b121","2.0.0b122","2.0.0b124","2.0.0b125","2.0.0b126","2.0.0b127","2.0.0b128","2.0.0b129","2.0.0b13","2.0.0b130","2.0.0b131","2.0.0b132","2.0.0b133","2.0.0b134","2.0.0b135","2.0.0b136","2.0.0b137","2.0.0b138","2.0.0b139","2.0.0b141","2.0.0b142","2.0.0b143","2.0.0b144","2.0.0b145","2.0.0b146","2.0.0b147","2.0.0b148","2.0.0b16","2.0.0b17","2.0.0b19","2.0.0b2","2.0.0b21","2.0.0b22","2.0.0b24","2.0.0b25","2.0.0b26","2.0.0b27","2.0.0b28","2.0.0b29","2.0.0b3","2.0.0b30","2.0.0b31","2.0.0b33","2.0.0b34","2.0.0b35","2.0.0b36","2.0.0b37","2.0.0b38","2.0.0b39","2.0.0b4","2.0.0b40","2.0.0b41","2.0.0b42","2.0.0b43","2.0.0b47","2.0.0b48","2.0.0b49","2.0.0b5","2.0.0b50","2.0.0b51","2.0.0b52","2.0.0b53","2.0.0b54","2.0.0b55","2.0.0b57","2.0.0b58","2.0.0b59","2.0.0b6","2.0.0b60","2.0.0b61","2.0.0b62","2.0.0b63","2.0.0b64","2.0.0b65","2.0.0b66","2.0.0b67","2.0.0b68","2.0.0b69","2.0.0b7","2.0.0b70","2.0.0b71","2.0.0b72","2.0.0b73","2.0.0b74","2.0.0b75","2.0.0b76","2.0.0b77","2.0.0b78","2.0.0b79","2.0.0b8","2.0.0b80","2.0.0b81","2.0.0b82","2.0.0b83","2.0.0b84","2.0.0b85","2.0.0b86","2.0.0b87","2.0.0b88","2.0.0b89","2.0.0b9","2.0.0b90","2.0.0b91","2.0.0b92","2.0.0b93","2.0.0b94","2.0.0b95","2.0.0b96","2.0.0b97","2.0.0b98","2.0.0b99","2.0.0rc1","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.0b0","2.1.0b1","2.1.0b10","2.1.0b11","2.1.0b12","2.1.0b13","2.1.0b14","2.1.0b15","2.1.0b2","2.1.0b3","2.1.0b4","2.1.0b5","2.1.0b6","2.1.0b7","2.1.0b8","2.1.0b9","2.1.0rc1","2.1.0rc3","2.1.2","2.1.3","2.1.4","2.2.0","2.2.0b0","2.2.0b1","2.2.0b10","2.2.0b11","2.2.0b2","2.2.0b3","2.2.0b4","2.2.0b5","2.2.0b6","2.2.0b7","2.2.0b8","2.2.0b9","2.2.0rc1","2.2.0rc2","2.2.1","2.2.2","2.3.0","2.3.0b0","2.3.0b1","2.3.0b15","2.3.0b16","2.3.0b17","2.3.0b19","2.3.0b2","2.3.0b20","2.3.0b21","2.3.0b22","2.3.0b23","2.3.0b24","2.3.0b25","2.3.0b26","2.3.0b27","2.3.0b28","2.3.0b29","2.3.0b3","2.3.0b30","2.3.0b31","2.3.0b32","2.3.0b33","2.3.0b34","2.3.0b4","2.3.0b5","2.3.0b6","2.3.0b7","2.3.0b8","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.1","2.3.4","2.4.0","2.4.0b0","2.4.0b1","2.4.0b10","2.4.0b11","2.4.0b12","2.4.0b13","2.4.0b14","2.4.0b15","2.4.0b16","2.4.0b17","2.4.0b18","2.4.0b19","2.4.0b2","2.4.0b21","2.4.0b22","2.4.0b23","2.4.0b24","2.4.0b25","2.4.0b26","2.4.0b27","2.4.0b28","2.4.0b29","2.4.0b3","2.4.0b30","2.4.0b4","2.4.0b5","2.4.0b6","2.4.0b7","2.4.0b8","2.4.0b9","2.4.0rc1","2.4.0rc2","2.4.0rc4","2.4.0rc6","2.4.0rc7","2.4.0rc8","2.4.1","2.4.2","2.5.0","2.5.0b0","2.5.0b1","2.5.0b10","2.5.0b11","2.5.0b12","2.5.0b13","2.5.0b14","2.5.0b15","2.5.0b16","2.5.0b17","2.5.0b18","2.5.0b19","2.5.0b2","2.5.0b20","2.5.0b21","2.5.0b22","2.5.0b23","2.5.0b24","2.5.0b3","2.5.0b4","2.5.0b5","2.5.0b7","2.5.0b8","2.5.0b9","2.5.0rc","2.5.1","2.6.0b0","2.6.0b1","2.6.0b10","2.6.0b11","2.6.0b12","2.6.0b13","2.6.0b14","2.6.0b2","2.6.0b3","2.6.0b4","2.6.0b5","2.6.0b6","2.6.0b7","2.6.0b8","2.6.0b9","2.7.0.b0","2.7.0.dev20251001","2.7.0.dev20251023","2.7.0.dev20251024","2.7.0.dev2025102503","2.7.0.dev2025102516","2.7.0.dev2025102602","2.7.0.dev2025102603","2.7.0.dev2025102615","2.7.0.dev2025102723","2.7.0.dev2025102801","2.7.0.dev2025102803","2.7.0.dev2025102809","2.7.0.dev2025102903","2.7.0.dev2025103003","2.7.0.dev2025103103","2.7.0.dev2025103104","2.7.0.dev2025110103","2.7.0.dev2025110113","2.7.0.dev2025110203","2.7.0.dev2025110301","2.7.0.dev2025110400","2.7.0.dev2025110503","2.7.0.dev2025110603","2.7.0.dev2025110701","2.7.0.dev2025110716","2.7.0.dev2025110717","2.7.0.dev2025110903","2.7.0.dev2025111003","2.7.0.dev2025111103","2.7.0.dev2025111403","2.7.0.dev2025111503","2.7.0.dev2025111703","2.7.0.dev2025111803","2.7.0.dev2025111903","2.7.0.dev2025112003","2.7.0.dev2025112103","2.7.0.dev2025112202","2.7.0.dev2025112303","2.7.0.dev2025112403","2.7.0.dev2025112503","2.7.0.dev2025112515","2.7.0.dev2025112603","2.7.0.dev2025112620","2.7.0.dev2025112703","2.7.0.dev2025112803","2.7.0.dev2025112903","2.7.0.dev2025113013","2.7.0.dev2025113021","2.7.0.dev2025120103","2.7.0.dev2025120110","2.7.0.dev2025120114","2.7.0.dev2025120203","2.7.0.dev2025120303","2.7.0.dev2025120400","2.7.0.dev2025120503","2.7.0.dev2025120516","2.7.0.dev2025120522","2.7.0.dev2025120601","2.7.0.dev2025120603","2.7.0.dev2025120614","2.7.0.dev2025120703","2.7.0.dev2025120803","2.7.0.dev2025120913","2.7.0.dev2025121103","2.7.0.dev2025121203","2.7.0.dev2025121300","2.7.0.dev2025121303","2.7.0.dev2025121403","2.7.0.dev2025121501","2.7.0.dev2025121601","2.7.0.dev2025121621","2.7.0.dev2025121710","2.7.0b0","2.7.0b1","2.7.0b10","2.7.0b11","2.7.0b12","2.7.0b13","2.7.0b14","2.7.0b15","2.7.0b16","2.7.0b17","2.7.0b18","2.7.0b19","2.7.0b2","2.7.0b20","2.7.0b21","2.7.0b22","2.7.0b23","2.7.0b24","2.7.0b25","2.7.0b26","2.7.0b27","2.7.0b28","2.7.0b3","2.7.0b30","2.7.0b4","2.7.0b5","2.7.0b6","2.7.0b7","2.7.0b8","2.7.0b9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26975.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}