CVE-2026-49339 is a high-severity path traversal vulnerability in go.senan.xyz/gonic (go), affecting versions <= 0.20.1. It is fixed in 0.21.0.
Summary The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 (fix(subsonic): enforce playlist ownership on getPlaylist/deletePlaylist) added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and: Read any other user's playlist (name, comment, IsPublic flag, song list) by crafting a base64-encoded playlist ID whose first segment matches their own user ID, followed by .. traversal segments pointing into another user's playlist directory. Delete any other user's playlist (including admin's curated playlists) by the same trick against deletePlaylist. Probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the 6dd71e6 fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the id parameter rather than direct cross-user access). Root cause server/ctrlsubsonic/handlersplaylist.go::playlistIDDecode performs raw base64 decode of the id parameter and passes the byte string straight to playlistStore.Read/Delete: playlist/playlist.go::Store.Read then: userIDFromPath reads only the first segment via firstPathEl(relPath) (strconv.Atoi of strings.Split(path, "/")[0]). It does not validate that the cleaned absolute path stays under s.basePath. The id parameter is base64-decoded as raw bytes (no path cleaning at decode time), so a payload like "2/../../<victim>/playlist.m3u" is preserved verbatim. userIDFromPath extracts "2" (the attacker's own user ID), playlist.UserID = 2, and the ownership check playlist.UserID != user.ID && !playlist.IsPublic becomes 2 != 2 && ... → false → access allowed. Meanwhile filepath.Join resolves the .. segments and escapes basePath. Affected code playlist/playlist.go:88-144, Store.Read joins relPath with basePath without containment validation playlist/playlist.go:200-206, Store.Delete (same pattern) playlist/playlist.go:208-220, userIDFromPath / firstPathEl trust only the first path segment server/ctrlsubsonic/handlersplaylist.go:51-72, ServeGetPlaylist ownership check server/ctrlsubsonic/handlersplaylist.go:182-202, ServeDeletePlaylist ownership check server/ctrlsubsonic/handlersplaylist.go:209-212, playlistIDDecode (no validation) Live PoC, passing Go test Drop this into server/ctrlsubsonic/handlersplaylistreadtraversaltest.go and run go test -run TestGetPlaylistArbitraryReadNonAdminUserIDPrefix ./server/ctrlsubsonic/ -v: Test output against current master HEAD 6dd71e6: The same approach against ServeDeletePlaylist (f.contr.ServeDeletePlaylist) deletes the targeted file. HTTP-level reproduction Impact Confidentiality: Any authenticated user can read any other user's playlist content, including the private (IsPublic=false) playlists that the recent 6dd71e6 fix specifically tried to protect. Integrity / Availability: Any authenticated user can delete any other user's playlists, including admin's curated lists. Same bypass technique works against ServeDeletePlaylist. Trust boundary: gonic explicitly supports multi-user deployments. This bug defeats the user-to-user authorization model that the maintainer just patched. Arbitrary file content read is constrained by gonic's M3U parser, only #GONIC-NAME: / #GONIC-COMMENT: attributes from the target file survive parsing. File-existence probing works against arbitrary paths. CVSS CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 7.1 High Suggested fix Add path containment in playlist/playlist.go for Store.Read, Store.Write, and Store.Delete, reject any relPath that escapes s.basePath after filepath.Join: Apply in Write() (line 153) and Delete() (line 206) as well. The ownership check at 6dd71e6 then becomes a defense-in-depth layer on top of the structural containment. Credits Reported by Vishal Shukla (@shukla304 / @therawdev).
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-49339 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.21.0). Upgrading removes the vulnerable code path.
go
go.senan.xyz/gonic (<= 0.20.1)go.senan.xyz/gonic → 0.21.0 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-49339 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-49339 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-49339 in your environment →Upgrade go.senan.xyz/gonic to 0.21.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-49339 is a high-severity path traversal vulnerability in go.senan.xyz/gonic (go), affecting versions <= 0.20.1. It is fixed in 0.21.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-49339 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
go.senan.xyz/gonic (go) versions <= 0.20.1 is affected.
Yes. CVE-2026-49339 is fixed in 0.21.0. Upgrade to this version or later.
Whether CVE-2026-49339 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade go.senan.xyz/gonic to 0.21.0 or later.