Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}


Fri, 30 May 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 30 May 2025 19:30:00 +0000

Type Values Removed Values Added
Description Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.
Title Navidrome Transcoding Permission Bypass Vulnerability Report
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-05-30T20:44:14.912Z

Reserved: 2025-05-28T18:49:07.583Z

Link: CVE-2025-48948

cve-icon Vulnrichment

Updated: 2025-05-30T20:44:10.405Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-30T20:15:43.910

Modified: 2025-08-26T14:17:42.403

Link: CVE-2025-48948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-06-24T09:44:17Z