xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint. The vulnerability allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can bypass path restrictions due to missing trailing separator in comparison logic. The flaw enables access to files from sibling directories that share the music_path prefix through crafted traversal sequences. This vulnerability poses a significant risk as it allows unauthorized file access without authentication.