CVE-2026-49339: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in sentriz gonic
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue.
AI Analysis
Technical Summary
The vulnerability in gonic arises because the ownership check relies on playlist.UserID, which is derived from the first path segment of the playlist ID controlled by the attacker. Since there is no path containment validation on the resolved file path, an authenticated Subsonic user can exploit this to bypass ownership restrictions. This enables unauthorized access to other users' playlists, deletion of those playlists, and probing of arbitrary file paths on the server. The issue is related to a previous IDOR vulnerability but uses path traversal in the 'id' parameter as the attack vector. The fix was introduced in commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 and included in gonic version 0.21.0.
Potential Impact
An authenticated user can bypass playlist ownership checks, allowing them to read and delete playlists belonging to other users and probe arbitrary file paths on the host system. This leads to unauthorized information disclosure and modification of user data. The vulnerability does not impact availability but compromises confidentiality and integrity of user playlists and potentially exposes sensitive files on the server.
Mitigation Recommendations
Upgrade to gonic version 0.21.0 or later, where the vulnerability is fixed by proper path containment checks and ownership validation. No other mitigations are indicated or required as the fix addresses the root cause.
CVE-2026-49339: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in sentriz gonic
Description
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in gonic arises because the ownership check relies on playlist.UserID, which is derived from the first path segment of the playlist ID controlled by the attacker. Since there is no path containment validation on the resolved file path, an authenticated Subsonic user can exploit this to bypass ownership restrictions. This enables unauthorized access to other users' playlists, deletion of those playlists, and probing of arbitrary file paths on the server. The issue is related to a previous IDOR vulnerability but uses path traversal in the 'id' parameter as the attack vector. The fix was introduced in commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 and included in gonic version 0.21.0.
Potential Impact
An authenticated user can bypass playlist ownership checks, allowing them to read and delete playlists belonging to other users and probe arbitrary file paths on the host system. This leads to unauthorized information disclosure and modification of user data. The vulnerability does not impact availability but compromises confidentiality and integrity of user playlists and potentially exposes sensitive files on the server.
Mitigation Recommendations
Upgrade to gonic version 0.21.0 or later, where the vulnerability is fixed by proper path containment checks and ownership validation. No other mitigations are indicated or required as the fix addresses the root cause.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.902Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a358c5cf198dc38c1f2fbbe
Added to database: 6/19/2026, 6:37:16 PM
Last enriched: 6/19/2026, 6:50:55 PM
Last updated: 6/19/2026, 11:57:15 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.