CVE-2026-49338
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Gonic, a music streaming server, prior to version 0.21.0, lacked authorization for the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view`. This allows an attacker, once authenticated, to delete any other user's playlist and read the contents of private playlists.
Risk Assessment
The lack of proper authorization breaks the trust boundary between users, potentially leading to data loss and privacy breaches. Low-privileged users can delete administrators' playlists and exfiltrate private data from other users.
Recommendation
It is recommended to upgrade to version 0.21.0 or later to fix this vulnerability. Additionally, consider implementing further security measures such as monitoring access to playlists.
Original NVD description (English source)
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.

