Summary The maintainer's recent fix in [6dd71e6a3c966867ef8c900d359a7df75789f410](https://github.com/sentriz/gonic/commit/6dd71e6) (fix(subsonic): enforce playlist ownership on getPlaylist/deletePlaylist) added an owner…
| CVE ID | CVE-2026-49339 |
| Vendor | go |
| Affected Product | go.senan.xyz/gonic |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.1 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
6dd71e6a3c966867ef8c900d359a7df75789f410](https://github.com/sentriz/gonic/commit/6dd71e6) (fix(subsonic): enforce playlist ownership on getPlaylist/deletePlaylist) added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the *first path segment* of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and: 1. Read any other user's playlist (name, comment, IsPublic flag, song list) by crafting a base64-encoded playlist ID whose first segment matches their own user ID, followed by .. traversal segments pointing into another user's playlist directory.2. Delete any other user's playlist
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.