CVE Catalog

CVE-2026-49338

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

Gonic, a music streaming server, prior to version 0.21.0, lacked authorization for the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view`. This allows an attacker, once authenticated, to delete any other user's playlist and read the contents of private playlists.

Risk Assessment

The lack of proper authorization breaks the trust boundary between users, potentially leading to data loss and privacy breaches. Low-privileged users can delete administrators' playlists and exfiltrate private data from other users.

Recommendation

It is recommended to upgrade to version 0.21.0 or later to fix this vulnerability. Additionally, consider implementing further security measures such as monitoring access to playlists.

Original NVD description (English source)

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS