Skip to main content

gonic CVE-2026-49338

| EUVDEUVD-2026-38067 HIGH
Improper Authorization (CWE-285)
2026-06-19 GitHub_M GHSA-hmgp-w9jm-vp95
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
7.1 HIGH

Network-reachable Subsonic API, any authenticated user suffices (PR:L), no UI; reading private playlist metadata is limited confidentiality (C:L), deleting admin playlists is high integrity (I:H), service stays up (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 19:32 vuln.today
Analysis Generated
Jun 19, 2026 - 19:32 vuln.today

DescriptionCVE.org

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its id and read the full contents (name, comment, song list) of any other user's private (non-public) playlist by passing its id. The Subsonic playlist id is base64url("<userID>/<filename>.m3u"). Because filenames are user-supplied or time-derived and the userID is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit 6dd71e6a3c966867ef8c900d359a7df75789f410, which is part of version 0.21.0.

AnalysisAI

Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged gonic account
Delivery
Enumerate or guess base64url playlist IDs
Exploit
Call /rest/getPlaylist.view with target ID
Execution
Exfiltrate private playlist contents
Persist
Call /rest/deletePlaylist.view with admin playlist ID
Impact
Destroy admin-curated playlists

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Subsonic account on a gonic instance running a version prior to 0.21.0 (PR:L); no admin role, user interaction, or non-default configuration is needed, and the vulnerable endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view are part of the default Subsonic API surface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N vector (7.1 High) is consistent with the description: any authenticated low-privileged account can integrity-impact administrators by deleting their playlists (I:H) and leak limited confidential data from private playlists (C:L), with no availability impact on the wider service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a multi-user gonic instance, a low-privileged attacker authenticates with their own Subsonic credentials, then constructs candidate playlist IDs by base64url-encoding strings like "1/<known-or-guessed-filename>.m3u" - for example IDs harvested while a playlist was briefly public, or time-derived filenames. They call /rest/getPlaylist.view?id=<id> to dump the admin's private playlist contents and /rest/deletePlaylist.view?id=<id> to wipe curated admin playlists. …
Remediation Vendor-released patch: gonic 0.21.0 - upgrade to 0.21.0 or later, which includes commit 6dd71e6 adding per-resource ownership and IsPublic checks to ServeGetPlaylist and ServeDeletePlaylist (https://github.com/sentriz/gonic/commit/6dd71e6, advisory https://github.com/sentriz/gonic/security/advisories/GHSA-hmgp-w9jm-vp95). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory gonic deployments and confirm versions running pre-0.21.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy