gonic Vulnerability Allows Cross-User Playlist Access Exploit

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the gonic music streaming server (go/go.senan.xyz/gonic) versions up to 0.20.1. The flaws include path‑traversal mechanisms that bypass playlist ownership checks, enabling unauthorized read and delete operations, and a separate issue that permits arbitrary file writes to attacker‑controlled locations. Both vulnerabilities are exploitable by any authenticated Subsonic user without requiring elevated privileges. The business impact ranges from exposure of user playlists and private metadata to potential integrity breaches where malicious files are written to critical system paths, increasing the risk of broader service disruption or compromise.[emaillocker id="1283"]

• CVE-2026-49339 with a CVSS score of 7.1 – Path traversal in the playlist id parameter bypasses ownership validation, allowing any authenticated user to read or delete other users' playlists and probe arbitrary filesystem paths. Exploitation requires only a crafted base64‑encoded playlist ID and a valid Subsonic account.
• CVE-2026-49340 with a CVSS score of 8.1 – Arbitrary file write in the createPlaylist endpoint lets any authenticated user write M3U content to attacker‑specified absolute paths, creating world‑writable directories. The attack is performed via a manipulated playlist path and does not require special privileges.

These vulnerabilities pose a high risk of data leakage, loss of playlist integrity, and potential system compromise. If exploited, attackers could disrupt service availability, tamper with critical files, and undermine user trust, making rapid remediation essential.

RECOMMENDATION:

• We recommend you to update gonic to version 0.21.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2fp4-5v5c-4448
https://github.com/advisories/GHSA-4gxv-p5g5-j7w7