This is an important security fix. Please update ASAP. A proper CVE advisory will be published soon and will be linked here.
You must log in or register to comment.
I wish the web ui supported jukebox mode
This seems quite serious, I’ll definitely be reading the CVE once it’s published. Luckily, I noticed the github notification of the release after only a couple of hours.
edit: I read the advisory and it wasn’t too bad in terms of attacker access:
Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.
