CVE-2026-49339

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0

Description An authenticated Subsonic user can bypass ownership checks to read or delete playlists belonging to other users and probe arbitrary file paths on the host for existence or readability. This occurs because the playlist.UserID is derived from the first path segment of the playlist ID, but there is no path containment on the resolved file path. The issue involves path traversal within the id parameter, allowing a bypass of the boundary intended to prevent insecure direct object references (IDOR), which is a vulnerability where an application provides direct access to objects based on user-supplied input.

Recommendations Update to version 0.21.0.