Description
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows any authenticated Subsonic user to read or delete any other user's playlist and probe arbitrary file paths on the host. The flaw is a path traversal in the playlist ID parameter combined with an insufficient ownership check. Because the UserID used for authorization is derived from the path segment, an attacker can bypass the check, leading to information disclosure and potential manipulation of user data. The weakness aligns with CWE-22 and CWE-639.

Affected Systems

The affected product is sentriz:gonic, a music streaming server implementing the Subsonic API. All releases before version 0.21.0 contain the flaw; the patch introduced in commit 6dd71e6 and finalized in commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 removes the vulnerability. Users running older versions of gonic should be aware that any authenticated user may retrieve, delete, or check existence of files on the filesystem linked to the playlist IDs.

Risk and Exploitability

The CVSS score of 7.1 reflects considerable impact without remote code execution. EPSS is not available but the nature of the flaw makes it likely to be abused by attackers who already have authenticated access. The vulnerability is not listed in the CISA KEV catalog, but it poses a significant risk to confidentiality, integrity, and availability of user data. The likely attack vector is through API calls to getPlaylist or deletePlaylist using crafted playlist IDs; no additional credentials beyond normal authentication are required.

Generated by OpenCVE AI on June 19, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest gonic release (version 0.21.0 or later) to install the proper ownership check and eliminate the path traversal issue.
  • Verify that the playlist.UserID authorization logic is strictly enforced and that no path-based derivation remains in the code base.
  • Monitor API usage logs for repeated attempts to access playlist IDs that do not belong to the authenticated user and configure alerts for such anomalous activity.

Generated by OpenCVE AI on June 19, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the *first path segment* of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue. gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue.

Fri, 19 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the *first path segment* of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue.
Title Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user's playlist
Weaknesses CWE-22
CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:10:11.134Z

Reserved: 2026-05-29T14:35:45.902Z

Link: CVE-2026-49339

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-639

    Authorization Bypass Through User-Controlled Key