Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Network-reachable Subsonic API (AV:N), trivial request (AC:L), requires any authenticated user but not admin (PR:L), no UI; arbitrary file write yields I:H and A:H, no direct read so C:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in Store.Write. Version 0.21.0 patches the issue.
AnalysisAI
Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated Subsonic account on the target gonic instance (PR:L) - admin is not needed, any non-admin user works. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H vector (8.1 High) reflects a network-reachable, low-complexity attack requiring only a low-privileged authenticated Subsonic user, with high integrity and availability impact and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid Subsonic account on a shared gonic instance issues a createPlaylist or updatePlaylist API call whose target path is an absolute filesystem location such as the gonic user's ~/.ssh/authorized_keys, a systemd unit drop-in, or a Go template/config file consumed at startup, with M3U-formatted content crafted to be syntactically valid in the target file format. gonic writes the file (creating any missing parent directories at 0o777) and the attacker gains code execution or persistence as the gonic service account on next trigger. … |
| Remediation | Vendor-released patch: upgrade gonic to version 0.21.0 or later, which adds the missing path containment in Store.Write and corrects the unreachable guard in ServeCreateOrUpdatePlaylist; details are in https://github.com/sentriz/gonic/security/advisories/GHSA-4gxv-p5g5-j7w7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all gonic deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' pla
Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38068
GHSA-4gxv-p5g5-j7w7