Skip to content
Security & Trust

One Login, Any Resource: IDOR Hits the Subsonic API Layer

GHSA-hmgp-w9jm-vp95 shows how authenticated-not-authorized gaps become systemic when machine clients hold the credentials

· 5 min read
Share on X LinkedIn
One Login, Any Resource: IDOR Hits the Subsonic API Layer

Authentication Is Not Authorization

A GitHub security advisory (GHSA-hmgp-w9jm-vp95) published against gonic — a widely deployed open-source Subsonic API server — describes an Insecure Direct Object Reference (IDOR) vulnerability in two core API endpoints: /rest/deletePlaylist.view and /rest/getPlaylist.view. The flaw requires no elevated privilege. Any user holding a valid authentication token — regardless of account role — can supply an arbitrary playlist id parameter and either retrieve or permanently delete it. The ownership relationship between the caller and the target resource is never verified by the application. In a multi-user deployment, this means every authenticated caller holds implicit read and delete access to every other user's playlist data, with no additional steps required.

#1 — present in 94% of applications tested
Broken Access Control — OWASP Top 10 Rank
Source: OWASP Top 10 2021 (September 2021)

Credentials as Master Keys

The advisory's implications extend beyond the gonic user base. Subsonic-compatible APIs are consumed by automated clients: mobile applications, third-party integrations, and AI-driven media management agents that authenticate using stored service credentials. In this architecture, a single valid API token — obtained through credential stuffing, phishing, or a supply-chain compromise of a downstream integration — grants a machine caller the ability to enumerate and destroy all playlists across the entire server population at API call speed. Where a human attacker operates sequentially with limited throughput, an automated client can exhaust the attack surface in seconds. The conventional IDOR risk calculus assumed human-paced exploitation. That assumption does not hold when the authenticated caller is software acting on behalf of an AI workflow. One compromised service account now carries the access surface of every user the server has ever provisioned.

1,629
CISA Known Exploited Vulnerabilities — Total Catalog Entries
Source: CISA KEV Catalog (June 25, 2026)

Per-Resource Authorization: The Missing Layer

The authorization gap in GHSA-hmgp-w9jm-vp95 is structurally specific: per-resource ownership verification was not implemented at the endpoint level. Authentication confirmed that the caller holds a valid credential; it did not confirm that the caller is entitled to act on the specific resource identified by the id parameter. This pattern — authenticate once, trust the session — fails immediately in multi-principal systems where objects belong to distinct owners. Remediation requires object-level access control: before any read or mutation, the application must verify that the requesting principal owns or has been explicitly delegated access to the target resource. This check cannot be inferred from session state alone, and authentication hardening in isolation does not substitute for it. The fix is architectural, not configurational.

466,000+ sites across 25 frameworks and 100+ TLDs
WebPulse Detected-Site Coverage
Source: WebPulse Scan Dataset (June 2026)

Executive Exposure Assessment

Across the 466,000+ sites in WebPulse's detected-framework dataset, API-backed application layers represent a growing share of production deployments. The authorization pattern exposed in the Subsonic case is not unique to media servers: any framework that exposes object-level endpoints without per-resource ownership checks carries a structurally identical exposure profile. As organizations deploy AI agents that authenticate against internal and third-party APIs using stored service credentials, the blast radius of a single credential compromise scales proportionally with the number of users served. IDOR vulnerabilities that might once have required targeted manual exploitation now represent a systemic access pattern available to any authenticated caller — human or machine — holding a valid token. For security and engineering leadership, this advisory marks an authorization gap that authentication frameworks alone do not close: per-resource access control must be implemented as an explicit, tested control at every object-level endpoint, and that verification must be part of API security review before deployment.

Share this insight