CVE-2026-49339 - gonic playlist ownership bypass
gonic before 0.21.0 can let playlist retrieval or deletion bypass intended
ownership checks. The vulnerable pattern is especially risky where playlist
paths or identifiers are user controlled.
Affected versions
- Vulnerable:
sentriz/gonic <0.21.0 - Fixed:
0.21.0+
Remediation strategy
- Upgrade to
0.21.0+. - Canonicalize the target playlist first, then enforce ownership or tenant checks on the resolved object, not on raw user input.
- Add tests covering cross-user and traversal-shaped access attempts.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-49339 in gonic. Produce either a reviewer-ready PR that
upgrades gonic, fixes playlist ownership enforcement, and adds regression
coverage, or TRIAGE.md if this repository does not control the affected gonic
runtime or fork.
Steps:
1. Inventory gonic modules, forks, images, and playlist handlers.
2. Upgrade every controlled version to 0.21.0+.
3. Enforce ownership checks on canonicalized playlist targets.
4. Add cross-user regression tests.
5. Use PR title `fix(sec): remediate gonic playlist ownership bypass`.
Verification
- No controlled gonic runtime remains below
0.21.0. - Cross-user playlist read/delete attempts are denied after canonicalization.
References
- GitHub Advisory Database entry: https://github.com/advisories?query=CVE-2026-49339
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49339