Navidrome Stores JWT Secret in Plaintext in navidrome.db
Discription

image
Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: – Forge valid tokens to impersonate users, including administrative accounts. – Gain unauthorized access to sensitive data or perform privileged actions. This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately…Read More

Back to Main

Subscribe for the latest news: