Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/navidrome/navidrome(Go) | 0 | 0.56.0 | N/A |
CVSS Metrics
