Skip to main content

Avideo EUVDEUVD-2026-16748

| CVE-2026-34369 MEDIUM
Missing Authorization (CWE-862)
2026-03-27 GitHub_M GHSA-q6jj-r49p-94fh
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 19:00 euvd
EUVD-2026-16748
Analysis Generated
Mar 27, 2026 - 19:00 vuln.today
CVE Published
Mar 27, 2026 - 18:13 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the get_api_video_file and get_api_video API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTube() hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.

AnalysisAI

WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints get_api_video_file and get_api_video, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the CustomizeUser::getModeYouTube() hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.

Technical ContextAI

WWBN AVideo is an open-source video streaming platform (CPE: cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*). The vulnerability is rooted in CWE-862 (Missing Authorization), a root cause class describing insufficient validation of user privileges before granting access to protected resources. The affected API endpoints (get_api_video_file and get_api_video) return playback sources-direct MP4 URLs and HLS streaming manifests-without enforcing the password verification logic that the web UI implements via the CustomizeUser::getModeYouTube() hook. This represents a classic authentication/authorization enforcement gap between two code paths (web vs. API) serving the same protected resource. The attacker surface is the HTTP API layer itself, which processes requests over the network without authentication or privilege checks.

RemediationAI

Upgrade WWBN AVideo to a version patched after commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 (exact released version number not provided in available data; consult the vendor advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh for the next stable release containing this fix). Until patching is completed, implement network-level access controls to restrict the API endpoints (get_api_video_file and get_api_video) to trusted internal networks or authenticated users only, using a reverse proxy with IP whitelisting or API key validation. Additionally, review any password-protected videos that may have been accessed via the API without authorization and consider rotating or resetting video passwords as a precaution.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

EUVD-2026-16748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy