CVE-2026-49339
Received Received - Intake
Path Traversal in Gonic Music Server

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user's playlist, delete any other user's playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49339
EUVD
EUVD-2026-38062
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sentriz gonic 0.21.0
sentriz gonic to 0.20.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49339 is a path traversal vulnerability in the Gonic media server that allows any authenticated user to bypass ownership checks and read or delete other users' playlists.

The issue arises because the playlist ID parameter is base64-decoded without path sanitization, enabling attackers to craft IDs like "2/../../<victim>/playlist.m3u" where "2" is their own user ID.

The system extracts the first segment ("2") to determine ownership but fails to validate that the resolved file path remains within the intended directory, allowing access to files outside the playlist directory.

This bypasses a previous fix that attempted to enforce playlist ownership, making it possible to read or delete any other user's playlists and probe arbitrary file paths on the host.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized reading of private playlists, deletion of any user's playlists (including those created by administrators), and probing for arbitrary files on the host system.

This impacts the confidentiality and integrity of user data within the Gonic media server.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized access to playlist files, especially attempts to access or delete playlists belonging to other users.

Since the vulnerability involves path traversal via the playlist ID parameter, detection can focus on identifying requests with suspicious playlist IDs containing path traversal patterns such as '../' or encoded variants.

Commands to detect exploitation attempts might include searching server logs for playlist ID parameters with path traversal sequences.

  • grep -E 'id=.*(\.\./|%2e%2e%2f)' /path/to/gonic/access.log
  • grep -E 'playlist.*(delete|read)' /path/to/gonic/access.log | grep -E '(\.\./|%2e%2e%2f)'

Additionally, monitoring for unexpected file access or deletion events outside of user directories can help detect exploitation.

Mitigation Strategies

The immediate mitigation step is to upgrade the Gonic media server to version 0.21.0 or later, where this vulnerability has been fixed.

The fix includes the introduction of a path containment check (SafeJoin function) that ensures playlist paths remain within the intended user directory, preventing path traversal attacks.

Until the upgrade can be applied, restrict access to the Gonic server to trusted users only and monitor logs for suspicious activity as a temporary measure.

Compliance Impact

This vulnerability allows any authenticated user to bypass ownership checks and access or delete other users' playlists, which can lead to unauthorized disclosure and modification of personal data.

Such unauthorized access and data manipulation could result in violations of data protection regulations like GDPR or HIPAA, which require strict controls over personal data confidentiality and integrity.

Therefore, until patched, systems using affected versions of Gonic may be non-compliant with these standards due to insufficient access controls and data protection mechanisms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart