gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints "/rest/deletePlaylist.view" and "/rest/getPlaylist.view" perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its "id" and read the full contents (name, comment, song list) of any other user's private (non-public) playlist by passing its "id". The Subsonic playlist "id" is "base64url("<userID>/<filename>.m3u")". Because filenames are user-supplied or time-derived and the "userID" is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit "6dd71e6a3c966867ef8c900d359a7df75789f410", which is part of version 0.21.0.