CVE-2026-49340
Received Received - Intake
Path Traversal in Gonic Music Server

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with `0o777` permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in `Store.Write`. Version 0.21.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49340
EUVD
EUVD-2026-38068
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sentriz gonic to 0.21.0 (exc)
sentriz gonic 0.21.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user to write arbitrary files to attacker-controlled locations on the host filesystem, potentially overwriting critical files and affecting system integrity and availability.

While the vulnerability does not impact confidentiality directly, the ability to alter or disrupt critical files could lead to non-compliance with standards such as GDPR or HIPAA, which require maintaining data integrity and availability.

Specifically, unauthorized modification or disruption of system files or databases could violate requirements for protecting data integrity and ensuring reliable system operation under these regulations.

Executive Summary

CVE-2026-49340 is an arbitrary file write vulnerability in the gonic media server (versions up to 0.20.1). It allows any authenticated user, including non-admins, to write playlist M3U content to an attacker-controlled absolute filesystem path on the server.

The vulnerability arises from two main issues: an unreachable guard clause in the ServeCreateOrUpdatePlaylist function that fails to properly check playlist ownership, and a lack of path containment in the Store.Write function that allows path traversal.

Because of this, an attacker can craft a malicious playlist ID with path traversal sequences (like ../../../) to write files outside the intended playlists directory, potentially overwriting critical files or creating directories with world-writable permissions (0o777).

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to overwrite or create arbitrary files on the gonic server filesystem.

  • Integrity impact: critical files such as the SQLite database (gonic.db), configuration files, logs, or other user data can be overwritten or tampered with.
  • Availability impact: overwriting important files or creating directories with insecure permissions can disrupt the normal operation of the server.

The vulnerability does not impact confidentiality but has a high severity score (CVSS 8.1) due to its potential to affect integrity and availability.

Detection Guidance

This vulnerability can be detected by checking if the gonic server version is prior to 0.21.0 and by inspecting whether playlist M3U files are being written to unexpected filesystem paths due to path traversal.

To detect exploitation attempts, you can look for suspicious playlist IDs containing path traversal sequences (e.g., ../../../) in server logs or network traffic.

Commands to help detect this include searching for files or directories created with world-writable permissions (0o777) outside the expected playlists directory, for example:

  • Find directories with 777 permissions: find /path/to/gonic/playlists/ -type d -perm 0777
  • Search for playlist files outside the intended directory (example): find / -name '*.m3u' -exec ls -l {} \;
  • Check gonic server logs for playlist creation or update requests with suspicious playlist IDs containing path traversal sequences.
Mitigation Strategies

The immediate mitigation step is to upgrade the gonic server to version 0.21.0 or later, where the vulnerability is patched.

If upgrading is not immediately possible, restrict authenticated user permissions to prevent unauthorized playlist creation or updates.

Additionally, review and tighten filesystem permissions on the playlists directory and any intermediate directories to 0o755 to prevent world-writable directories.

Monitor and audit playlist creation and update activities for suspicious path traversal attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart