GHSA-qff7-q5fm-8p76

Suggest an improvement
Source
https://github.com/advisories/GHSA-qff7-q5fm-8p76
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qff7-q5fm-8p76/GHSA-qff7-q5fm-8p76.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qff7-q5fm-8p76
Published
2026-05-04T21:19:24Z
Modified
2026-05-05T16:13:15.370251Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration
Details

Summary

The GET /api/station/{station_id}/file/{id}/play endpoint, handled by PlayAction, is missing the Middleware\Permissions check that protects all sibling routes in the same /file/{id} route group. Any authenticated user can download media files from any station, regardless of whether they have permissions on that station. In multi-tenant deployments, this enables cross-station media exfiltration.

Details

In backend/config/routes/api_station.php, the /file/{id} route group (lines 407-429) defines four endpoints:

// Line 407-429
$group->group(
    '/file/{id}',
    function (RouteCollectorProxy $group) {
        // GET /file/{id} — has Permissions check ✓
        $group->get('', ...)->add(new Middleware\Permissions(StationPermissions::Media, true));

        // PUT /file/{id} — has Permissions check ✓
        $group->put('', ...)->add(new Middleware\Permissions(StationPermissions::Media, true));

        // DELETE /file/{id} — has Permissions check ✓
        $group->delete('', ...)->add(new Middleware\Permissions(StationPermissions::DeleteMedia, true));

        // GET /file/{id}/play — NO Permissions check ✗
        $group->get('/play', Controller\Api\Stations\Files\PlayAction::class)
            ->setName('api:stations:files:play');
    }
);

The middleware chain for the /play endpoint is: GetStation → RequireStation → RequireLogin → StationSupportsFeature(Media) → PlayAction. The RequireLogin middleware (backend/src/Middleware/RequireLogin.php) only verifies a valid session/API key exists — it does not check station-level permissions.

The controller at backend/src/Controller/Api/Stations/Files/PlayAction.php:84 calls $this->mediaRepo->requireForStation($id, $station), which verifies the media belongs to the station but performs no authorization check. The findForStation method (StationMediaRepository.php:46-66) accepts both auto-increment integer IDs and unique IDs, making enumeration trivial via sequential integers.

This is notably similar to the regression fixed in commit 7fbc7dd (2026-02-26), which restored a missing group-level Permissions middleware on the adjacent /files group. The /play route was missed in that fix.

PoC

# Step 1: Create two stations (Station A and Station B) in a multi-tenant AzuraCast instance.
# Upload media files to Station B.

# Step 2: Create a user with permissions ONLY on Station A. Generate an API key for this user.
API_KEY="user-with-only-station-a-access"

# Step 3: Enumerate and download media from Station B (station_id=2) using sequential IDs
# This should return 403 Forbidden, but instead returns the file content
curl -H "X-API-Key: $API_KEY" https://target/api/station/2/file/1/play -o stolen1.mp3
# HTTP 200 OK — file downloaded successfully

curl -H "X-API-Key: $API_KEY" https://target/api/station/2/file/2/play -o stolen2.mp3
# HTTP 200 OK — file downloaded successfully

# Step 4: Verify the same user is correctly blocked on other endpoints in the same group
curl -H "X-API-Key: $API_KEY" https://target/api/station/2/file/1
# HTTP 403 Forbidden — permission check works here

Impact

  • Any authenticated user can download the full media library of any station in the instance, regardless of their assigned permissions.
  • In multi-tenant deployments (e.g., hosting providers running multiple radio stations), a user of Station A can exfiltrate all copyrighted audio content from Station B.
  • Media IDs use auto-increment integers (HasAutoIncrementId trait on StationMedia), enabling trivial enumeration of all media files.
  • The confidentiality impact is High: full media file contents (MP3, FLAC, etc.) are exposed.

Recommended Fix

Add the Permissions middleware to the /play route, matching the pattern used by the adjacent routes:

// backend/config/routes/api_station.php, line 426-427
// Before:
$group->get('/play', Controller\Api\Stations\Files\PlayAction::class)
    ->setName('api:stations:files:play');

// After:
$group->get('/play', Controller\Api\Stations\Files\PlayAction::class)
    ->setName('api:stations:files:play')
    ->add(new Middleware\Permissions(StationPermissions::Media, true));
Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:19:24Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

Packagist / azuracast/azuracast

Package

Name
azuracast/azuracast
Purl
pkg:composer/azuracast/azuracast

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.23.6

Affected versions

0.*
0.3.1
0.3.2
0.3.3
0.5.0
0.6.0
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.4.1
0.9.4.2
0.9.5
0.9.5.1
0.9.6
0.9.6.1
0.9.6.2
0.9.6.5
0.9.7
0.9.7.1
0.9.8
0.9.8.1
0.9.9
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.11
0.11.1
0.11.2
0.12
0.12.1
0.12.2
0.12.3
0.12.4
0.13.0
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.17.7
0.18.0
0.18.1
0.18.2
0.18.3
0.18.5
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.19.7
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0
0.22.0
0.22.1
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qff7-q5fm-8p76/GHSA-qff7-q5fm-8p76.json"
last_known_affected_version_range 
"<= 0.23.5"