Description
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
Published: 2026-06-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The gonic music streaming server allows authenticated users to access the Subsonic API endpoints \/rest\/deletePlaylist.view and \/rest\/getPlaylist.view without checking ownership of the referenced playlist. This allows any logged‑in user to delete any other user’s playlist or read the contents of a private playlist. The ability to delete a playlist is a loss of availability for cataloged media, while the exposure of private playlist information compromises confidentiality and may reveal personal listening habits.

Affected Systems

The vulnerability affects gonic versions prior to 0.21.0. Users running any release 0.20.x or earlier are vulnerable. The issue was addressed in commit 6dd71e6a3c966867ef8c900d359a7df75789f410, which is included in the 0.21.0 release. The product is provided by the vendor sentriz under the gonic project name.

Risk and Exploitability

The CVSS base score is 7.1, indicating a high severity vulnerability. Because the attack requires only authentication, an attacker with any user account can enumerate playlist IDs by guessing the base64‑encoded <userID>/<filename>.m3u pattern; these IDs are frequently exposed, making the attack practical. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, yet its high likelihood of exploitation in multi‑user environments warrants timely remediation.

Generated by OpenCVE AI on June 19, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gonic to version 0.21.0 or later.
  • If an upgrade is not immediately possible, restrict access to the vulnerable API endpoints by implementing IP filtering or network segmentation so that only administrators can call \/rest\/deletePlaylist.view and \/rest\/getPlaylist.view.
  • Ensure that playlist filenames are not easily guessable by using random or obfuscated names for private playlists to reduce the chance that an attacker can enumerate playlist IDs.

Generated by OpenCVE AI on June 19, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hmgp-w9jm-vp95 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
History

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sentriz
Sentriz gonic
Vendors & Products Sentriz
Sentriz gonic

Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
Title Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
Weaknesses CWE-285
CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T02:21:47.053Z

Reserved: 2026-05-29T14:35:45.902Z

Link: CVE-2026-49338

cve-icon Vulnrichment

Updated: 2026-06-23T02:21:40.823Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:37Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-639

    Authorization Bypass Through User-Controlled Key