Description
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The gonic music streaming server allows authenticated users to access the Subsonic API endpoints \/rest\/deletePlaylist.view and \/rest\/getPlaylist.view without checking ownership of the referenced playlist. This allows any logged‑in user to delete any other user’s playlist or read the contents of a private playlist. The ability to delete a playlist is a loss of availability for cataloged media, while the exposure of private playlist information compromises confidentiality and may reveal personal listening habits.

Affected Systems

The vulnerability affects gonic versions prior to 0.21.0. Users running any release 0.20.x or earlier are vulnerable. The issue was addressed in commit 6dd71e6a3c966867ef8c900d359a7df75789f410, which is included in the 0.21.0 release. The product is provided by the vendor sentriz under the gonic project name.

Risk and Exploitability

The CVSS base score is 7.1, indicating a high severity vulnerability. Because the attack requires only authentication, an attacker with any user account can enumerate playlist IDs by guessing the base64‑encoded <userID>/<filename>.m3u pattern; these IDs are frequently exposed, making the attack practical. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, yet its high likelihood of exploitation in multi‑user environments warrants timely remediation.

Generated by OpenCVE AI on June 19, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gonic to version 0.21.0 or later.
  • If an upgrade is not immediately possible, restrict access to the vulnerable API endpoints by implementing IP filtering or network segmentation so that only administrators can call \/rest\/deletePlaylist.view and \/rest\/getPlaylist.view.
  • Ensure that playlist filenames are not easily guessable by using random or obfuscated names for private playlists to reduce the chance that an attacker can enumerate playlist IDs.

Generated by OpenCVE AI on June 19, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
Title Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
Weaknesses CWE-285
CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:08:34.220Z

Reserved: 2026-05-29T14:35:45.902Z

Link: CVE-2026-49338

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-639

    Authorization Bypass Through User-Controlled Key