Insecure Direct Object Reference in Gonic Music Streaming Server by Sentriz
CVE-2026-49339

7.1HIGH

Key Information:

Vendor

Sentriz

Status
Gonic
Vendor
CVE Published:
19 June 2026

What is CVE-2026-49339?

Gonic, a free-software subsonic server API implementation, has a vulnerability that permits authenticated users to bypass ownership checks on playlists due to flawed path handling in the playlist ID. This flaw allows unauthorized access to manipulate and delete playlists belonging to other users, as well as probe for arbitrary files on the server. The issue arises from how playlist.UserID is extracted from the first path segment of the attacker-controlled playlist ID, as the implemented checks do not sufficiently validate the resolved file paths. The vulnerability has been addressed in version 0.21.0.

Affected Version(s)

gonic < 0.21.0

References

https://github.com/sentriz/gonic/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/sentriz/gonic/commit/0824bed88f6bbc490...
x_refsource_MISC
https://github.com/sentriz/gonic/commit/6dd71e6
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.