CVE-2025-48948
MEDIUMnavidrome < 0.56.0 - Authenticated Incorrect Authorization via Transcoding Configuration
Title source: llmDescription
Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3
Issue Tracking x_refsource_misc
https://github.com/navidrome/navidrome/pull/4096
Scores
CVSS v3
6.5
EPSS
0.0040
EPSS Percentile
31.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
navidrome/navidrome
< 0.56.0
navidrome/navidrome
0 - 0.56.0Go
Published
May 30, 2025
Tracked Since
Feb 18, 2026