Authorization Flaw in Gonic Music Streaming Server by Sentriz
CVE-2026-49338

7.1HIGH

Key Information:

Vendor: Sentriz
Status: Gonic
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49338?

The Gonic music streaming server, used for Subsonic API implementations, has a critical flaw where the API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view lack proper authorization checks. This allows authenticated users, regardless of their privilege level, to delete any playlist from other users—including those with administrative rights—by providing the relevant playlist ID. Additionally, unauthorized users can access detailed information about private playlists by guessing their IDs, which could easily be derived from previously public data. This vulnerability compromises the trust model of Gonic, allowing low-privileged users to manipulate playlists and exfiltrate sensitive user data. The issue has been rectified in version 0.21.0.

Affected Version(s)

gonic < 0.21.0

References

https://github.com/sentriz/gonic/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/sentriz/gonic/commit/6dd71e6

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-49338 Data

JSON