Gonic (Subsonic Server), Path Traversal & Arbitrary File Write, CVE-2026-49340 (High) -DC-Jun2026-713

Listen to this Post

CVE-2026-49340 is a critical vulnerability in gonic, a free-software Subsonic server API implementation. Prior to version 0.21.0, a logic error in the `ServeCreateOrUpdatePlaylist` function allows any authenticated Subsonic user—including those without administrative privileges—to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host.

The vulnerability is rooted in two distinct flaws:

  1. Unreachable Guard Clause: The function attempts to read an existing playlist using c.playlistStore.Read(playlistPath). This function returns `(Playlist, nil)` on success and `(nil, err)` on any failure. However, the conditional check is err != nil && pl != nil, a condition that is mathematically impossible to satisfy. Consequently, the ownership check (playlist.UserID != 0 && playlist.UserID != user.ID) is bypassed, as `playlist` remains at its zero value where UserID = 0.
  2. No Path Containment in Store.Write: The `Store.Write` function uses `filepath.Join(s.basePath, relPath)` to construct the destination path. Go’s `filepath.Join` does not prevent directory traversal sequences like ... An attacker can therefore supply a relative path such as ../../etc/cron.daily/anything, causing the file to be written outside the intended `playlists/` directory.
    Furthermore, the `os.MkdirAll` call creates intermediate directories with world-writable `0o777` permissions, posing an additional hardening concern. This bug is independent of CVE-2026-49338 and CVE-2026-49339.

The issue was patched in version 0.21.0.

DailyCVE Form

Platform: …….

Gonic

Version: ……..

< 0.21.0

Vulnerability :……

Arbitrary File Write

Severity: …….

High (CVSS 8.1)

date: ……….

2026-06-19

Prediction: here you should include expected Patch date.

Already Patched (0.21.0)

What Undercode Say

Encode a traversal path to a writeable location (e.g., /var/log/anything.log)
RAW='../../../var/log/anything.log'
ID="pl-$(printf '%s' "$RAW" | base64 -w0 | tr '/+' '_-')"
Exploit the vulnerability via the createPlaylist endpoint
curl -s "http://gonic-host/rest/createPlaylist.view?u=lowpriv&p=pass&c=poc&v=1.16.1&f=json&id=$ID&name=injected"

Exploit

An attacker can exploit this by:

  1. Encoding a malicious path (e.g., ../../../var/log/anything.log) into a Base64-encoded playlist ID.
  2. Sending a crafted request to the `/rest/createPlaylist.view` endpoint.
  3. The server, due to the unreachable guard and lack of path containment, writes the M3U playlist content to the attacker-specified path.
  4. The `os.MkdirAll` call creates any necessary parent directories with `0o777` permissions.

Protection

  1. Upgrade gonic: Immediately upgrade to version 0.21.0 or later.
  2. Restrict User Permissions: Review and limit write permissions for users to reduce exposure.
  3. Implement a Web Application Firewall: Deploy a WAF to block malicious traffic patterns.
  4. Active Monitoring: Utilize cybersecurity alerts to stay informed about potential threats.

Impact

  • Integrity: Any authenticated user can overwrite (truncate-and-rewrite) any file the gonic process has write access to. This includes gonic’s own SQLite database, configuration files, log files, cache, and audit trails.
  • Availability: Overwriting `gonic.db` destroys all user state—accounts, ratings, playlists, etc.—in an unrecoverable manner.
  • Filesystem State: `MkdirAll(dir, 0o777)` creates intermediate directories as world-writable, regardless of the umask.
  • Trust Boundary: gonic explicitly supports a non-admin user role. This bug grants every non-admin user a destructive filesystem-write primitive.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top