CVE-2026-49340: gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

June 26, 2026

A logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions.

The bug is independent of the playlist ownership IDOR fixed in 6dd71e6: it is an unreachable guard clause combined with no path containment in Store.Write.

References

github.com/advisories/GHSA-4gxv-p5g5-j7w7
github.com/sentriz/gonic/security/advisories/GHSA-4gxv-p5g5-j7w7
nvd.nist.gov/vuln/detail/CVE-2026-49340

Code Behaviors & Features

Detect and mitigate CVE-2026-49340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →