CVE-2026-49338: CWE-285: Improper Authorization in sentriz gonic
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
AI Analysis
Technical Summary
CVE-2026-49338 describes an improper authorization vulnerability (CWE-285) in gonic's Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view prior to version 0.21.0. These endpoints do not enforce per-resource authorization, allowing any authenticated user to delete or read private playlists owned by other users by supplying the playlist ID. Playlist IDs are base64url encodings of "<userID>/<filename>.m3u", making them guessable due to small integer userIDs and user-supplied or time-derived filenames. This flaw compromises the multi-user trust boundary, permitting low-privileged users to delete administrator playlists and access private playlist data. The vulnerability was fixed in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 included in version 0.21.0.
Potential Impact
An attacker with any authenticated user account can delete any other user's playlists, including those owned by administrators, and read the full contents of any private playlist if they can guess or obtain its ID. This leads to unauthorized data disclosure and data integrity loss within the gonic music streaming server environment. The vulnerability undermines user privacy and trust boundaries between users.
Mitigation Recommendations
Upgrade gonic to version 0.21.0 or later, which includes the fix for this improper authorization vulnerability. Patch status is confirmed fixed in version 0.21.0. No other mitigation is indicated by the vendor advisory.
CVE-2026-49338: CWE-285: Improper Authorization in sentriz gonic
Description
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49338 describes an improper authorization vulnerability (CWE-285) in gonic's Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view prior to version 0.21.0. These endpoints do not enforce per-resource authorization, allowing any authenticated user to delete or read private playlists owned by other users by supplying the playlist ID. Playlist IDs are base64url encodings of "<userID>/<filename>.m3u", making them guessable due to small integer userIDs and user-supplied or time-derived filenames. This flaw compromises the multi-user trust boundary, permitting low-privileged users to delete administrator playlists and access private playlist data. The vulnerability was fixed in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 included in version 0.21.0.
Potential Impact
An attacker with any authenticated user account can delete any other user's playlists, including those owned by administrators, and read the full contents of any private playlist if they can guess or obtain its ID. This leads to unauthorized data disclosure and data integrity loss within the gonic music streaming server environment. The vulnerability undermines user privacy and trust boundaries between users.
Mitigation Recommendations
Upgrade gonic to version 0.21.0 or later, which includes the fix for this improper authorization vulnerability. Patch status is confirmed fixed in version 0.21.0. No other mitigation is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.902Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a35966af198dc38c1138316
Added to database: 6/19/2026, 7:20:10 PM
Last enriched: 6/19/2026, 7:35:10 PM
Last updated: 6/20/2026, 12:06:57 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.