Navidrome Unauthorized Account Creation Scanner

Navidrome is a self-hosted music streaming service, popular among music enthusiasts and server administrators for organizing and accessing music libraries. It's commonly deployed in home networks and media servers, allowing users to stream music via a modern web interface or connected devices. Due to its self-hosted nature, it’s utilized by tech-savvy individuals and small teams who prefer having direct control over their media content. The software supports various music file formats and integrates with multiple applications, enhancing user experience. Navidrome's flexibility and open-source licensing attract developers and music lovers alike. The software's administration can be handled through a robust, accessible dashboard, simplifying user and media management tasks.

Installation Page Exposure refers to the risk associated with exposed administrative or setup interfaces post-deployment, potentially allowing unauthorized actions. This vulnerability impacts security by permitting malicious actors to create admin accounts without proper authorization, compromising data integrity. Such exposure occurs due to improper configuration during installation or insufficient security practices. It significantly raises the risk of unauthorized system access and control in self-hosted environments. Mitigating this requires timely updates and adequate security configurations, along with restricting access to installation pages. The threat underscores the importance of robust security measures for self-managed server applications.

The vulnerability specifically targets the endpoint used for admin user creation during Navidrome’s setup phase. A POST request to "/auth/createAdmin" with JSON payload can successfully generate an admin user if exposed, using parameters like "username" and "password". The response indicates success by including "isAdmin":true in the body with a status code of 200. Thus, intercepting this communication or accessing the endpoint can allow an attacker to illicitly gain administrative privileges. This emphasizes the necessity of securing endpoints and monitoring unauthorized access attempts. Keeping installation interfaces secure post-setup is critical in preventing unauthorized administrative account creation.

Exploiting this vulnerability could enable unauthorized access to Navidrome’s administrative functions, leading to potential data breaches. Attackers could create new admin accounts, modify or delete music libraries, or access sensitive user data. This breach of trust could extend to larger network implications if Navidrome is integrated with other systems. Consequently, the misconfiguration can lead to significant operational disruptions and privacy infringements. Remedial actions are essential to protect against such impacts, ensuring only authenticated users can access sensitive interfaces. Continuous monitoring and security audits can aid in identifying and mitigating such vulnerabilities efficiently.