CVE-2026-27732 is a Server-Side Request Forgery (SSRF) vulnerability identified in WWBN's open-source video platform, AVideo, specifically in versions prior to 22.0. The vulnerability resides in the aVideoEncoder.json.php API endpoint, which accepts a parameter named downloadURL. This parameter is used by the server to fetch external resources without adequate validation or an allow-list mechanism. As a result, an authenticated attacker can manipulate this parameter to force the server to initiate HTTP requests to arbitrary URLs, including internal network addresses that are typically inaccessible externally. This SSRF flaw can be leveraged to interact with internal services such as metadata services, internal APIs, or other sensitive endpoints, potentially exposing confidential information or enabling lateral movement within the network. The vulnerability does not require user interaction but does require the attacker to have valid authentication credentials, which may limit the attack surface to authorized users or compromised accounts. The CVSS 4.0 base score of 8.6 reflects the high impact on confidentiality and integrity, with low attack complexity and no user interaction needed. The vulnerability has been addressed in AVideo version 22.0 by implementing proper validation and allow-listing of URLs to prevent arbitrary server-side requests. No known exploits are currently reported in the wild, but the potential for significant impact exists given the nature of SSRF attacks and the sensitive data that may be exposed.

The SSRF vulnerability in AVideo can have severe consequences for organizations using affected versions. By exploiting this flaw, an attacker with valid credentials can access internal network resources that are normally protected from external access. This can lead to unauthorized disclosure of sensitive information such as internal APIs, metadata services, or configuration data. In some deployment environments, SSRF can be a stepping stone for further compromise, including privilege escalation, lateral movement, or execution of unauthorized commands if internal services are vulnerable. The impact is heightened in cloud or containerized environments where metadata services provide critical instance or credential information. Additionally, the compromise of internal services may disrupt availability or integrity of video platform operations. Organizations relying on AVideo for video hosting or streaming may face data breaches, service disruptions, or reputational damage if this vulnerability is exploited. The requirement for authentication reduces the risk somewhat but does not eliminate it, especially if user credentials are weak, reused, or compromised.

To mitigate CVE-2026-27732, organizations should upgrade all AVideo instances to version 22.0 or later, where the vulnerability is fixed. Until upgrades can be applied, implement strict network segmentation and firewall rules to restrict the AVideo server's outbound HTTP requests, limiting them only to trusted external resources. Employ allow-listing at the network or application level to prevent server-side requests to internal IP ranges or sensitive endpoints. Monitor and audit authenticated user activity for unusual patterns that could indicate SSRF exploitation attempts. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Additionally, review and harden internal services that could be targeted via SSRF, such as metadata services or internal APIs, by implementing authentication and access controls. Consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities to detect and block malicious requests. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.