Description
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with `0o777` permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in `Store.Write`. Version 0.21.0 patches the issue.
Published: 2026-06-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in gonic’s playlist creation handler allows any authenticated Subsonic user to write M3U playlist data to an absolute file path on the host system. The logic error bypasses an intended guard (CWE‑697) and the subsequent write routine accepts the supplied path without containment checks (CWE‑22), while also creating intermediate directories with 0777 permissions (CWE‑732). This makes it possible to overwrite system files, drop malicious scripts, or otherwise place code that can be executed by the operating system, effectively allowing an attacker to gain elevated control over the host.

Affected Systems

All installations of sentriz:gonic running a version earlier than 0.21.0 are vulnerable. Versions 0.21.0 and later contain the patch that fixed the playlist handling logic.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalogue. The attack vector is straightforward: an authenticated API user can trigger the write by creating or updating a playlist. Because the Subsonic API by design grants normal users access to playlist endpoints, exploitation does not require elevated privileges or special network conditions. Once the file write succeeds, the attacker can further exploit the host, potentially achieving remote code execution or privilege escalation.

Generated by OpenCVE AI on June 19, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gonic to version 0.21.0 or later to address CWE‑22 (path traversal), CWE‑697 (unreachable guard), and CWE‑732 (incorrect file permissions).
  • If an upgrade is delayed, restrict the playlist creation/update API to administrators only and enforce validation to prevent arbitrary path writes and ensure directories are not world‑writable, mitigating both CWE‑22 and CWE‑732.
  • Continuously monitor the host’s filesystem for unexpected playlist file writes and audit API usage logs to detect and respond to potential exploitation attempts, which may lead to privilege escalation or remote code execution.

Generated by OpenCVE AI on June 19, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4gxv-p5g5-j7w7 gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sentriz
Sentriz gonic
Vendors & Products Sentriz
Sentriz gonic

Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with `0o777` permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in `Store.Write`. Version 0.21.0 patches the issue.
Title gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host
Weaknesses CWE-22
CWE-697
CWE-732
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:50:57.575Z

Reserved: 2026-05-29T14:35:45.902Z

Link: CVE-2026-49340

cve-icon Vulnrichment

Updated: 2026-06-22T17:50:42.640Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:35Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-697

    Incorrect Comparison

  • CWE-732

    Incorrect Permission Assignment for Critical Resource