
CVE-2025-48948 – Navidrome Transcoding Permission Bypass Vulnerability Report
https://notcve.org/view.php?id=CVE-2025-48948
30 May 2025 — Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Versio... • https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3 • CWE-863: Incorrect Authorization •

CVE-2024-56362 – Navidrome Stores JWT Secret in Plaintext in navidrome.db
https://notcve.org/view.php?id=CVE-2024-56362
23 Dec 2024 — Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1. Navidrome es un servidor y transmisor de colección de música basado en web de código abierto. • https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff • CWE-312: Cleartext Storage of Sensitive Information •

CVE-2024-47062 – Multiple SQL Injections and ORM Leak in navidrome
https://notcve.org/view.php?id=CVE-2024-47062
20 Sep 2024 — Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. • https://github.com/saisathvik1/CVE-2024-47062 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2024-32963 – Parameter Tampering vulnerability in Navidrome
https://notcve.org/view.php?id=CVE-2024-32963
01 May 2024 — Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the pla... • https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2023-51442 – Authentication bypass vulnerability in navidrome's subsonic endpoint
https://notcve.org/view.php?id=CVE-2023-51442
21 Dec 2023 — Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided us... • https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c • CWE-287: Improper Authentication •

CVE-2022-23857
https://notcve.org/view.php?id=CVE-2022-23857
24 Jan 2022 — model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords). El archivo model/criteria/criteria.go en Navidrome versiones anteriores a 0.47.5, es vulnerable a ataques de inyección SQL cuando son procesados listas de reproducción inteligentes diseñadas... • https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •