Navidrome Stores JWT Secret in Plaintext in navidrome.db
Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: Forge valid tokens to impersonate users, including administrative accounts. Gain unauthorized access to sensitive data or perform privileged actions. This …