AzuraCast Path Traversal Flaw CVE-2026-42605 Exposes Self-Hosted Radio Servers to File System Attack

A high-severity path traversal vulnerability has been disclosed in AzuraCast, the widely deployed self-hosted web radio management suite, putting potentially thousands of internet radio installations at risk of unauthorized file system access. Tracked as CVE-2026-42605 with a CVSS severity score of 8.8, the flaw exists in the platform's media upload functionality and could allow attackers to read, write, or delete files outside intended directories on vulnerable servers—potentially leading to data theft, system compromise, or service disruption.

The vulnerability centers on the currentDirectory request parameter in the Flow.js media upload endpoint, specifically at POST /api/station/{station_id}/files/upload. Prior to version 0.23.6, this parameter accepts user input without proper sanitization or validation, enabling path traversal sequences that escape the intended upload directory boundaries. An authenticated attacker with station management permissions could leverage this weakness to access sensitive configuration files, extract credentials, overwrite critical system files, or potentially achieve remote code execution depending on the underlying server configuration and operating system permissions.

AzuraCast has released version 0.23.6 to address the vulnerability, and administrators of self-hosted radio installations are urged to update immediately. The platform's popularity among independent broadcasters, community radio stations, and hobbyist operators means many instances may be exposed to the internet with minimal additional security layers or monitoring. Organizations running AzuraCast should verify their current version, apply the patch without delay, and review file system permissions and access logs for any signs of prior exploitation. The disclosure underscores the persistent security challenges in self-hosted media platforms where convenience features like file upload interfaces can become significant attack vectors when input validation proves insufficient.