Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Network-reachable Subsonic API, any authenticated user suffices (PR:L), no UI; reading private playlist metadata is limited confidentiality (C:L), deleting admin playlists is high integrity (I:H), service stays up (A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its id and read the full contents (name, comment, song list) of any other user's private (non-public) playlist by passing its id. The Subsonic playlist id is base64url("<userID>/<filename>.m3u"). Because filenames are user-supplied or time-derived and the userID is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit 6dd71e6a3c966867ef8c900d359a7df75789f410, which is part of version 0.21.0.
AnalysisAI
Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Subsonic account on a gonic instance running a version prior to 0.21.0 (PR:L); no admin role, user interaction, or non-default configuration is needed, and the vulnerable endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view are part of the default Subsonic API surface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N vector (7.1 High) is consistent with the description: any authenticated low-privileged account can integrity-impact administrators by deleting their playlists (I:H) and leak limited confidential data from private playlists (C:L), with no availability impact on the wider service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a multi-user gonic instance, a low-privileged attacker authenticates with their own Subsonic credentials, then constructs candidate playlist IDs by base64url-encoding strings like "1/<known-or-guessed-filename>.m3u" - for example IDs harvested while a playlist was briefly public, or time-derived filenames. They call /rest/getPlaylist.view?id=<id> to dump the admin's private playlist contents and /rest/deletePlaylist.view?id=<id> to wipe curated admin playlists. … |
| Remediation | Vendor-released patch: gonic 0.21.0 - upgrade to 0.21.0 or later, which includes commit 6dd71e6 adding per-resource ownership and IsPublic checks to ServeGetPlaylist and ServeDeletePlaylist (https://github.com/sentriz/gonic/commit/6dd71e6, advisory https://github.com/sentriz/gonic/security/advisories/GHSA-hmgp-w9jm-vp95). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory gonic deployments and confirm versions running pre-0.21.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including
Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' pla
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38067
GHSA-hmgp-w9jm-vp95