CVE-2026-49340: Arbitrary File Write via Path Traversal in Gonic Subsonic Playlist Handler

Gonic is an open-source, self-hosted music streaming server that implements the Subsonic API protocol. To support the synchronization and export of user-created music playlists, Gonic allows playlists to be serialized and stored on the host disk as M3U files. This filesystem interaction introduces an attack surface that must be strictly contained to prevent unauthorized modifications to host system resources.

Prior to version 0.21.0, Gonic exposes an arbitrary file write vulnerability via its Subsonic API implementation. The vulnerability is located within the ServeCreateOrUpdatePlaylist function, which handles request processing for playlist generation and updates. Because the API allows users to specify playlist names that are subsequently mapped to host directories, the absence of strict input containment introduces high security risks.

The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-697 (Incorrect Comparison). Standard, non-administrative authenticated users can leverage this vulnerability to escape the designated playlist directories. By writing files to arbitrary locations, attackers can manipulate host configuration files, drop shell scripts, or overwrite application components.

The vulnerability stems from two primary software flaws working in tandem: an unreachable access-control guard clause and a lack of pathname containment in the storage layer.

First, a logic error in ServeCreateOrUpdatePlaylist produces an unreachable guard clause. The application implements an authorization check intended to ensure that the requesting user holds the required permissions to modify playlists or write to specific physical directories. However, due to an incorrect boolean comparison (CWE-697), this validation routine consistently evaluates to false or is bypassed completely, allowing execution to proceed down the write path regardless of the user's privilege tier.

Second, the storage abstraction layer implements a writing routine (Store.Write) that lacks path containment verification (CWE-22). When Gonic attempts to write the .m3u file to the host disk, it joins the base directory path with the client-supplied playlist name. Because Gonic fails to resolve, sanitize, and verify that the final path resides within the base playlist directory, attackers can supply absolute file paths or relative directory traversal sequences (such as ../../).

Third, when the target directory path does not exist, Gonic invokes directory creation functions with overly permissive default flags (CWE-732). Specifically, Gonic calls os.MkdirAll with 0777 permissions. This behavior creates intermediate directories that are globally readable, writable, and executable by any system user on the host, undermining standard operational access controls.

To understand the vulnerability, consider the simplified representation of the vulnerable Go code path inside the playlist handler and storage layer:

// VULNERABLE FUNCTION (Prior to v0.21.0)
func ServeCreateOrUpdatePlaylist(w http.ResponseWriter, r *http.Request) {
    playlistName := r.FormValue("name") // User-controlled string (e.g., "../../../../etc/cron.d/malicious_job")
    user := GetAuthenticatedUser(r)
 
    // Unreachable Guard Clause due to a logic error
    if user.IsAdmin() == false && IsValidPlaylistPath(playlistName) { 
        // The logical condition is structurally flawed, allowing execution to proceed
        http.Error(w, "Unauthorized", http.StatusUnauthorized)
        return
    }
 
    // Execution proceeds to file write
    err := store.Write(playlistName, playlistData)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
    }
}
 
func (s *Store) Write(name string, data []byte) error {
    // Vulnerable path generation
    targetPath := filepath.Join(s.BasePlaylistDir, name)
    
    // If directories do not exist, they are created with permissive 0777 permissions
    dir := filepath.Dir(targetPath)
    if err := os.MkdirAll(dir, 0777); err != nil {
        return err
    }
 
    return os.WriteFile(targetPath, data, 0644)
}

The patched version introduces strict path validation to guarantee containment within the designated parent folder before executing any directory-creation or file-writing logic:

// PATCHED IMPLEMENTATION (v0.21.0)
func (s *Store) Write(name string, data []byte) error {
    // 1. Clean and join the path
    targetPath := filepath.Clean(filepath.Join(s.BasePlaylistDir, name))
    
    // 2. Validate path containment (CWE-22 Remediation)
    cleanBase := filepath.Clean(s.BasePlaylistDir) + string(filepath.Separator)
    if !strings.HasPrefix(targetPath, cleanBase) {
        return errors.New("path traversal attempt detected")
    }
 
    // 3. Create intermediate directories with restrictive permissions (0750)
    dir := filepath.Dir(targetPath)
    if err := os.MkdirAll(dir, 0750); err != nil {
        return err
    }
 
    return os.WriteFile(targetPath, data, 0600)
}

An attacker with valid, low-privilege authentication credentials can exploit this vulnerability remotely over HTTP. The target endpoint is the Subsonic REST API wrapper for creating or updating playlists, typically accessible at /rest/createPlaylist or /rest/updatePlaylist.

The attack sequence is executed as follows:

1. Authentication: The attacker authenticates to the Subsonic endpoint using valid user credentials, receiving an active session token or generating valid request query parameters (username, salt, and token).

2. Payload Formulation: The attacker crafts a request payload containing a directory traversal or absolute path string inside the name parameter. To target a system-level configuration folder, the attacker sets the name to /etc/cron.d/malicious_job or a relative equivalent. The playlist tracks or metadata (within the request body) are populated with content designed to trigger action when parsed by external system utilities.

3. Request Transmission: The attacker submits an HTTP GET or POST request targeting the endpoint:

POST /rest/createPlaylist?u=attacker&t=token&s=salt&v=1.16.0&c=client&name=../../../../etc/cron.d/malicious_cron HTTP/1.1
Host: target-gonic-instance:8080
Content-Type: application/x-www-form-urlencoded
 
songId=1&songId=2

4. Execution: The server processes the request, bypasses the faulty guard clause, fails to validate the parent boundary of the generated path, creates any non-existent folders with 0777 permissions, and writes the M3U structured text containing the attacker-specified track paths to /etc/cron.d/malicious_cron.

The actual security impact of CVE-2026-49340 is governed by the privilege level under which the Gonic process executes within the host environment.

If Gonic runs as the root user or within a container mapped directly to root on the host namespace, the impact is critical. An attacker can write files to sensitive locations such as /etc/cron.d/, /etc/shadow, /etc/passwd, or /home/user/.ssh/authorized_keys. Writing to these paths allows standard users to execute arbitrary commands, overwrite system binaries, or insert SSH access credentials, resulting in remote code execution (RCE) and full machine compromise.

If Gonic runs as an unprivileged service account, the impact is localized but still significant. The attacker is restricted to folders where the service user has write privileges. However, the attacker can still overwrite Gonic database files, modify configuration assets, or cause a denial of service (DoS) by corrupting the server's data. Additionally, the permissive directory creation permissions (0777) mean that other local service accounts on the host can gain access to Gonic data, facilitating local lateral privilege escalation.

The definitive solution for CVE-2026-49340 is upgrading Gonic to version 0.21.0 or higher. The release addresses the logic flaws in the Subsonic API handler and introduces path sanitization to isolate files within the designated storage directory.

If immediate patching is not possible, organizations should implement the following host-level and network-level mitigations to reduce exposure:

1. Enforce Principle of Least Privilege: Verify that Gonic does not run as root. Transition the system to execute the daemon under an isolated, unprivileged system user account (e.g., a dedicated gonic system group and user) with minimal filesystem write permissions.

2. Isolate Environment via Containerization: Run Gonic inside an isolated container environment (e.g., Docker) without exposing root privileges (--user directive). Use read-only root filesystems where possible, mapping only the necessary data volumes for music and playlists. This ensures that even in the event of an arbitrary file write, the attacker cannot write to the real host's physical filesystems.

3. Implement Web Application Firewall (WAF) Rules: Configure fronting reverse proxies or WAF layers to block requests to Subsonic playlist endpoints containing classic directory traversal syntax (../ or ..\) or absolute pathways in the request URL parameters.