GHSA-qff7-q5fm-8p76: AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration

May 4, 2026

The GET /api/station/{station_id}/file/{id}/play endpoint, handled by PlayAction, is missing the Middleware\Permissions check that protects all sibling routes in the same /file/{id} route group. Any authenticated user can download media files from any station, regardless of whether they have permissions on that station. In multi-tenant deployments, this enables cross-station media exfiltration.

References

github.com/AzuraCast/AzuraCast
github.com/AzuraCast/AzuraCast/commit/ba92dc3f0ea15a9c0ba0f4557d99a9a26004108f
github.com/AzuraCast/AzuraCast/security/advisories/GHSA-qff7-q5fm-8p76
github.com/advisories/GHSA-qff7-q5fm-8p76

Code Behaviors & Features

Detect and mitigate GHSA-qff7-q5fm-8p76 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →