This is an important security fix. Please update ASAP. A proper CVE advisory will be published soon and will be linked here.
You must log in or register to comment.
This seems quite serious, I’ll definitely be reading the CVE once it’s published. Luckily, I noticed the github notification of the release after only a couple of hours.
edit: I read the advisory and it wasn’t too bad in terms of attacker access:
Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.I wish the web ui supported jukebox mode
