GHSA-XV8G-FJ9H-6GMV
Vulnerability from github – Published: 2026-03-10 01:18 – Updated: 2026-03-10 19:27The linkdave server does not enforce authentication on its REST and WebSocket routes in versions prior to 0.1.5.
Impact
An attacker with network access to the server port can:
- Connect to the WebSocket endpoint (/ws) and receive a valid session_id in the OpReady response.
- Use that session to invoke all REST player controls on any guild corresponding to their session id[1].
- Enumerate server statistics and runtime information via the unauthenticated /stats endpoint (still public after the fix).
[1] If on >=0.1.0, attackers are restricted to creating, controlling and deleting players created within their own session ID.
Vulnerable Routes
The following routes were entirely unauthenticated in >= 0.0.1, < 0.1.5:
| Method | Path | Description |
|---|---|---|
POST |
/sessions/{session_id}/players/{guild_id}/play |
Start audio playback |
POST |
/sessions/{session_id}/players/{guild_id}/pause |
Pause playback |
POST |
/sessions/{session_id}/players/{guild_id}/resume |
Resume playback |
POST |
/sessions/{session_id}/players/{guild_id}/stop |
Stop playback |
POST |
/sessions/{session_id}/players/{guild_id}/seek |
Seek to position |
PATCH |
/sessions/{session_id}/players/{guild_id}/volume |
Set volume |
DELETE |
/sessions/{session_id}/players/{guild_id} |
Disconnect from voice channel |
GET |
/ws |
WebSocket event stream |
Patches
Update to 0.1.5.
- image: ghcr.io/shi-gg/linkdave:0.1.4
+ image: ghcr.io/shi-gg/linkdave:latest
or
docker pull ghcr.io/shi-gg/linkdave:latest
After upgrading, set the LINKDAVE_PASSWORD environment variable to a strong secret value. If this variable is left unset, the server will still accept all connections without authentication even on >= 0.1.5.
Server configuration (e.g. compose.yml):
environment:
LINKDAVE_PASSWORD: ${LINKDAVE_PASSWORD}
echo "LINKDAVE_PASSWORD=$(openssl rand -hex 16)" >> .env
To restart the stack, run
docker compose up -d
TypeScript client (0.1.5+):
The client automatically handles authentication. Pass the password when constructing the client:
const linkdave = new LinkDaveClient({
nodes: [
{
name: "main",
url: process.env.LINKDAVE_URI,
password: process.env.LINKDAVE_PASSWORD
}
]
});
Workarounds
If upgrading is not immediately possible, restrict network access to the server's port using a firewall so it is only accessible from trusted internal IP addresses.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/shi-gg/linkdave"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T01:18:20Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The `linkdave` server does not enforce authentication on its REST and WebSocket routes in versions prior to `0.1.5`.\n\n### Impact\n\nAn attacker with network access to the server port can:\n- Connect to the WebSocket endpoint (`/ws`) and receive a valid `session_id` in the `OpReady` response.\n- Use that session to invoke all REST player controls on any guild corresponding to their session id[1].\n- Enumerate server statistics and runtime information via the unauthenticated `/stats` endpoint (still public after the fix).\n\n[1] If on [`\u003e=0.1.0`](https://github.com/shi-gg/linkdave/releases/tag/v0.1.0), attackers are restricted to creating, controlling and deleting players created within their own session ID.\n\n### Vulnerable Routes\n\nThe following routes were entirely unauthenticated in `\u003e= 0.0.1, \u003c 0.1.5`:\n\n| Method | Path | Description |\n|--------|------|-------------|\n| `POST` | `/sessions/{session_id}/players/{guild_id}/play` | Start audio playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/pause` | Pause playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/resume` | Resume playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/stop` | Stop playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/seek` | Seek to position |\n| `PATCH` | `/sessions/{session_id}/players/{guild_id}/volume` | Set volume |\n| `DELETE` | `/sessions/{session_id}/players/{guild_id}` | Disconnect from voice channel |\n| `GET` | `/ws` | WebSocket event stream |\n\n### Patches\n\nUpdate to [`0.1.5`](https://github.com/shi-gg/linkdave/commit/0f9a00d9d549b16278db81fce6dfec350c2abc01).\n\n```diff\n- image: ghcr.io/shi-gg/linkdave:0.1.4\n+ image: ghcr.io/shi-gg/linkdave:latest\n```\nor\n```sh\ndocker pull ghcr.io/shi-gg/linkdave:latest\n```\n\nAfter upgrading, set the `LINKDAVE_PASSWORD` environment variable to a strong secret value. If this variable is left unset, the server will still accept all connections without authentication even on `\u003e= 0.1.5`.\n\n**Server configuration (e.g. `compose.yml`):**\n```sh\nenvironment:\n LINKDAVE_PASSWORD: ${LINKDAVE_PASSWORD}\n```\n```sh\necho \"LINKDAVE_PASSWORD=$(openssl rand -hex 16)\" \u003e\u003e .env\n```\n\nTo restart the stack, run\n```sh\ndocker compose up -d\n```\n\n**TypeScript client (`0.1.5+`):**\n\nThe client automatically handles authentication. Pass the password when constructing the client:\n```ts\nconst linkdave = new LinkDaveClient({\n nodes: [\n {\n name: \"main\",\n url: process.env.LINKDAVE_URI,\n password: process.env.LINKDAVE_PASSWORD\n }\n ]\n});\n```\n\n### Workarounds\n\nIf upgrading is not immediately possible, restrict network access to the server\u0027s port using a firewall so it is only accessible from trusted internal IP addresses.",
"id": "GHSA-xv8g-fj9h-6gmv",
"modified": "2026-03-10T19:27:55Z",
"published": "2026-03-10T01:18:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shi-gg/linkdave/security/advisories/GHSA-xv8g-fj9h-6gmv"
},
{
"type": "WEB",
"url": "https://github.com/shi-gg/linkdave/commit/0f9a00d9d549b16278db81fce6dfec350c2abc01"
},
{
"type": "PACKAGE",
"url": "https://github.com/shi-gg/linkdave"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Linkdave Missing Authentication on REST and WebSocket endpoints"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.