Navidrome · Navidrome · CVE-2025-27112
**Name of the Vulnerable Software and Affected Versions**
Navidrome versions 0.52.0 through 0.54.4
**Description**
The issue is related to a flaw in the authentication check process in certain Subsonic API endpoints. This flaw allows an attacker to bypass authentication by specifying any arbitrary non-existent username along with a salted hash of an empty password, granting access to read-only data without valid credentials. The attacker can view various information, such as user playlists, but cannot modify data due to insufficient permissions.
**Recommendations**
For Navidrome versions 0.52.0 through 0.54.4, update to version 0.54.5 to resolve the issue.