CVE-2026-49338
Received Received - Intake
Playlist Deletion and Information Disclosure in Gonic

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49338
EUVD
EUVD-2026-38067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sentriz gonic to 0.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49338 is an Insecure Direct Object Reference (IDOR) vulnerability in the gonic music streaming server's Subsonic API implementation affecting versions up to 0.20.1.

The vulnerability occurs because the API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` do not verify whether the authenticated user owns the playlist they are trying to access or delete.

As a result, any authenticated user, regardless of their privileges, can delete any other user's playlist or read the full contents of any private playlist if they know its ID.

Playlist IDs are predictable because they are base64url encodings of a string containing the user ID and filename, making it easy for attackers to guess or obtain them.

This breaks the multi-user trust boundary, allowing low-privileged users to delete administrator playlists or exfiltrate private playlist data.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to delete your playlists, including those curated by administrators, which affects data integrity.

It also allows attackers to read the full contents of your private playlists, compromising confidentiality.

Because playlist IDs are guessable, attackers can easily exploit this flaw once authenticated, leading to potential data loss and privacy breaches.

Detection Guidance

This vulnerability can be detected by attempting to access or delete playlists owned by other users using the Subsonic API endpoints `/rest/getPlaylist.view` and `/rest/deletePlaylist.view` while authenticated as a low-privileged user.

Since playlist IDs are base64url encoded strings of the format "<userID>/<filename>.m3u" and are guessable, you can try to decode or guess playlist IDs and test if unauthorized access or deletion is possible.

Example commands using curl to test the vulnerability might include:

  • curl -u user:password "http://<gonic-server>/rest/getPlaylist.view?id=<playlist_id>"
  • curl -X POST -u user:password "http://<gonic-server>/rest/deletePlaylist.view?id=<playlist_id>"

If these commands succeed in reading or deleting playlists not owned by the authenticated user, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the gonic application to version 0.21.0 or later, where the vulnerability is fixed.

The fix enforces ownership checks on the `/rest/getPlaylist.view` and `/rest/deletePlaylist.view` endpoints, preventing unauthorized users from accessing or deleting playlists they do not own.

Until the upgrade is possible, restrict access to the affected API endpoints to trusted users only and monitor for suspicious activity involving playlist access or deletion.

Compliance Impact

This vulnerability allows any authenticated user to access and delete private playlists of other users without proper authorization, breaking confidentiality and integrity controls.

Such unauthorized access and modification of private user data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal data.

Because private playlists may contain personal or sensitive information, the exposure and deletion of these playlists undermine compliance with these standards' requirements for data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart