EUVD-2026-14506
GHSA-r64r-883r-wcwh
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration - including CDN URLs, storage credentials, and the authentication key itself - via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.
Analysis
WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all AVideo instances to identify which are running version 26.0 or earlier with CDN plugin enabled, and document CDN storage credentials and access keys in use. Within 7 days: Implement network segmentation to restrict CDN plugin access to trusted administrative networks only, disable the CDN plugin if not actively required, and rotate all storage credentials and authentication keys. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today