PT-2026-26599 — Missing Authentication in Go Github.Com/Shi-Gg/Linkdave

PT-2026-26599 · Go · Github.Com/Shi-Gg/Linkdave

Published

2026-03-10

Updated

2026-03-10

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

The linkdave server does not enforce authentication on its REST and WebSocket routes in versions prior to 0.1.5.

Impact

An attacker with network access to the server port can:

Connect to the WebSocket endpoint (/ws) and receive a valid session id in the OpReady response.
Use that session to invoke all REST player controls on any guild corresponding to their session id[1].
Enumerate server statistics and runtime information via the unauthenticated /stats endpoint (still public after the fix).

[1] If on >=0.1.0, attackers are restricted to creating, controlling and deleting players created within their own session ID.

Vulnerable Routes

The following routes were entirely unauthenticated in >= 0.0.1, < 0.1.5:

Method	Path	Description
`POST`	`/sessions/{session id}/players/{guild id}/play`	Start audio playback
`POST`	`/sessions/{session id}/players/{guild id}/pause`	Pause playback
`POST`	`/sessions/{session id}/players/{guild id}/resume`	Resume playback
`POST`	`/sessions/{session id}/players/{guild id}/stop`	Stop playback
`POST`	`/sessions/{session id}/players/{guild id}/seek`	Seek to position
`PATCH`	`/sessions/{session id}/players/{guild id}/volume`	Set volume
`DELETE`	`/sessions/{session id}/players/{guild id}`	Disconnect from voice channel
`GET`	`/ws`	WebSocket event stream

Patches

Update to 0.1.5.

diff

- image: ghcr.io/shi-gg/linkdave:0.1.4
+ image: ghcr.io/shi-gg/linkdave:latest

docker pull ghcr.io/shi-gg/linkdave:latest

After upgrading, set the LINKDAVE PASSWORD environment variable to a strong secret value. If this variable is left unset, the server will still accept all connections without authentication even on >= 0.1.5.

Server configuration (e.g. compose.yml):

environment:
  LINKDAVE PASSWORD: ${LINKDAVE PASSWORD}

echo "LINKDAVE PASSWORD=$(openssl rand -hex 16)" >> .env

To restart the stack, run

docker compose up -d

TypeScript client (0.1.5+):

The client automatically handles authentication. Pass the password when constructing the client:

const linkdave = new LinkDaveClient({
  nodes: [
    {
      name: "main",
      url: process.env.LINKDAVE URI,
      password: process.env.LINKDAVE PASSWORD
    }
  ]
});

Workarounds

If upgrading is not immediately possible, restrict network access to the server's port using a firewall so it is only accessible from trusted internal IP addresses.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

GHSA-XV8G-FJ9H-6GMV

Affected Products

Github.Com/Shi-Gg/Linkdave