Skip to main content

gonic CVE-2026-49340

| EUVDEUVD-2026-38068 HIGH
Path Traversal (CWE-22)
2026-06-19 GitHub_M GHSA-4gxv-p5g5-j7w7
8.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable Subsonic API (AV:N), trivial request (AC:L), requires any authenticated user but not admin (PR:L), no UI; arbitrary file write yields I:H and A:H, no direct read so C:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 21:02 EUVD
Analysis Generated
Jun 19, 2026 - 19:32 vuln.today

DescriptionCVE.org

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in Store.Write. Version 0.21.0 patches the issue.

AnalysisAI

Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged Subsonic account
Delivery
Reach gonic playlist API over network
Exploit
Send createPlaylist with absolute path and M3U payload
Install
Trigger unreachable guard / unchecked Store.Write
C2
File written and 0o777 dirs created on host
Execute
Overwrite SSH/config/unit file for persistence
Impact
Execute code as gonic service user

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated Subsonic account on the target gonic instance (PR:L) - admin is not needed, any non-admin user works. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H vector (8.1 High) reflects a network-reachable, low-complexity attack requiring only a low-privileged authenticated Subsonic user, with high integrity and availability impact and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid Subsonic account on a shared gonic instance issues a createPlaylist or updatePlaylist API call whose target path is an absolute filesystem location such as the gonic user's ~/.ssh/authorized_keys, a systemd unit drop-in, or a Go template/config file consumed at startup, with M3U-formatted content crafted to be syntactically valid in the target file format. gonic writes the file (creating any missing parent directories at 0o777) and the attacker gains code execution or persistence as the gonic service account on next trigger. …
Remediation Vendor-released patch: upgrade gonic to version 0.21.0 or later, which adds the missing path containment in Store.Write and corrects the unreachable guard in ServeCreateOrUpdatePlaylist; details are in https://github.com/sentriz/gonic/security/advisories/GHSA-4gxv-p5g5-j7w7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all gonic deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy