CVE-2026-50233 Overview
CVE-2026-50233 is an arbitrary directory listing vulnerability in Lyrion Music Server 9.2.0. The flaw resides in the readdirectory query, which is exposed through both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js. The query accepts a folder parameter and returns directory contents without restricting access to the configured media directories. The default configuration requires no authentication, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem. The weakness is categorized as [CWE-548] (Exposure of Information Through Directory Listing).
Critical Impact
Remote, unauthenticated attackers can enumerate arbitrary filesystem paths on hosts running Lyrion Music Server 9.2.0, exposing sensitive file and directory structure information.
Affected Products
- Lyrion Music Server 9.2.0
- CLI service listening on TCP port 9090
- HTTP JSON-RPC endpoint at /jsonrpc.js
Discovery Timeline
- 2026-06-05 - CVE-2026-50233 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2026-50233
Vulnerability Analysis
Lyrion Music Server exposes a JSON-RPC style command interface used by clients to browse media libraries. The readdirectory query accepts a folder argument that specifies which directory to enumerate. Instead of constraining lookups to the configured media library roots, the server resolves the supplied path directly against the host filesystem. An attacker supplies any absolute path reachable by the service account and receives a directory listing in response.
Both network entry points share the same backend handler. The CLI service on TCP port 9090 accepts space-delimited commands, while the HTTP endpoint at /jsonrpc.js accepts JSON requests. Neither requires authentication in the default deployment. This information disclosure aids reconnaissance by revealing usernames in /home, application install paths, configuration directories, and the layout of mounted volumes.
Root Cause
The root cause is missing authorization and missing path validation on the readdirectory command handler. The handler does not verify that the requested folder lies within an allowed media root, and the default configuration does not require credentials to invoke privileged enumeration commands. This combination maps directly to [CWE-548], Exposure of Information Through Directory Listing.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends a single request to either the CLI port or the JSON-RPC HTTP endpoint with an arbitrary folder value. The server responds with the contents of that directory, enabling iterative enumeration of the filesystem. See the VulnCheck Security Advisory and the Zero Science Vulnerability Report for protocol-level request examples.
Detection Methods for CVE-2026-50233
Indicators of Compromise
- Inbound TCP connections to port 9090 from non-trusted networks, particularly from sources sending readdirectory commands.
- HTTP POST or GET requests to /jsonrpc.js containing the string readdirectory paired with a folder parameter referencing paths outside the configured media library.
- Repeated requests enumerating sensitive paths such as /etc, /root, /home, C:\\Users, or C:\\Windows.
Detection Strategies
- Inspect web server and application logs for /jsonrpc.js requests containing readdirectory method calls with paths outside configured media roots.
- Monitor the Lyrion Music Server CLI port (TCP 9090) for unexpected client connections and command patterns from outside the management network.
- Alert on bursts of readdirectory queries from a single source, which indicate filesystem enumeration rather than legitimate library browsing.
Monitoring Recommendations
- Forward Lyrion Music Server access logs to a centralized logging platform and create rules for the readdirectory method.
- Capture netflow or firewall logs covering TCP 9090 to identify exposure of the CLI service beyond intended client networks.
- Track outbound responses for unusually large directory listings that may indicate successful enumeration of system paths.
How to Mitigate CVE-2026-50233
Immediate Actions Required
- Restrict network access to TCP port 9090 and the /jsonrpc.js endpoint using host firewalls or network ACLs so only trusted clients can reach the service.
- Enable authentication on the Lyrion Music Server CLI and web interfaces, replacing the default unauthenticated configuration.
- Audit Lyrion Music Server logs for prior readdirectory requests targeting paths outside the configured media directories.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Consult the VulnCheck Security Advisory and the Zero Science Vulnerability Report for current vendor status and any updated builds beyond version 9.2.0.
Workarounds
- Bind the Lyrion Music Server CLI service to 127.0.0.1 or a management VLAN rather than all interfaces.
- Place the HTTP endpoint behind a reverse proxy that enforces authentication and blocks the readdirectory method from untrusted sources.
- Run the Lyrion Music Server process under a low-privilege account that lacks read access to sensitive system directories, limiting what enumeration can reveal.
# Example: restrict access to Lyrion Music Server ports with iptables
iptables -A INPUT -p tcp --dport 9090 -s 192.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP
iptables -A INPUT -p tcp --dport 9000 -s 192.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
