Navidrome
Moderate fix1 remedy
cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 0.55.2
Navidrome Transcoding Permission Bypass Vulnerability
Vulnerability
Patched
A permission verification flaw exists in Navidrome versions prior to 0.56.0, allowing authenticated regular users to bypass authorization checks and access administrator-only transcoding configuration operations. This includes the ability to create, modify, and delete transcoding settings. The vulnerability arises because the application fails to properly validate administrative privileges when handling transcoding configuration requests via the API, despite the user's JWT token indicating a lack of admin rights. This issue is particularly concerning in environments where administrators are trusted but regular users are not, as it could lead to unauthorized modifications of critical system settings, with potential implications for system performance and functionality.
Impact
Exploitation of this vulnerability allows regular users to perform administrative actions related to transcoding, including creating, updating, and deleting transcoding configurations. This could disrupt system performance and functionality, and potentially introduce security risks such as command injection, since transcoding settings can include command parameters.
Reproduction
To reproduce this vulnerability, set up Navidrome with transcoding enabled. Log in as a regular user (non-administrator) and send a request to the API endpoint for creating transcoding configurations. The request will succeed, demonstrating that the application does not properly enforce authorization checks for regular users.
Remediation
Users can upgrade to Navidrome version 0.56.0 or later, where this vulnerability has been patched.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.8impact
2.5exploitability
6.6remediation
7.7relevance
0.1threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.