CVE-2026-28354 is a medium-severity authorization bypass vulnerability identified in ClipBucket v5, a widely used open-source video sharing platform. The vulnerability arises from improper authorization checks in collection item management endpoints prior to version 5.5.3 #59. Specifically, the add item operation (/actions/add_to_collection.php) lacks any authorization validation, allowing any authenticated user to add items to collections they do not own. Similarly, the delete item operation (/manage_collections.php?mode=manage_items...) suffers from a broken ownership check in the removeItemFromCollection() function, enabling unauthorized deletion of collection items. These flaws correspond to CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Incorrect Authorization). The vulnerability requires the attacker to be authenticated but does not require additional user interaction or elevated privileges. The impact is primarily on integrity, as attackers can manipulate other users’ collections without permission, potentially leading to data tampering, content poisoning, or disruption of user experience. The vulnerability has a CVSS 4.0 base score of 5.7, reflecting its moderate risk level. The issue was publicly disclosed on February 27, 2026, with no known exploits in the wild at the time of publication. The vendor fixed the vulnerability in version 5.5.3 #59 by implementing proper authorization checks to validate user ownership before allowing collection modifications.

The primary impact of CVE-2026-28354 is unauthorized modification of user collections within the ClipBucket platform. Attackers with valid user accounts can add or remove items from collections owned by other users, compromising data integrity and potentially disrupting user content organization. This can lead to user dissatisfaction, loss of trust, and reputational damage for organizations hosting ClipBucket instances. In environments where collections represent curated or sensitive content, unauthorized changes could facilitate misinformation, content poisoning, or manipulation of media assets. Although the vulnerability does not directly expose confidential data or enable privilege escalation, the ability to alter other users’ collections undermines platform integrity and could be leveraged as part of broader attacks, such as social engineering or targeted harassment. The scope is limited to authenticated users, but given the open-source nature and popularity of ClipBucket, many organizations worldwide could be affected if running vulnerable versions. The absence of known exploits reduces immediate risk but does not preclude future exploitation.

Organizations using ClipBucket v5 should immediately upgrade to version 5.5.3 #59 or later, where the vulnerability is patched with proper authorization checks. If upgrading is not immediately feasible, implement the following mitigations: 1) Conduct a thorough code review of collection management endpoints to verify authorization logic and ownership validation. 2) Apply custom patches to enforce strict user ownership checks before allowing add or remove operations on collections. 3) Restrict access to collection management APIs to trusted users or roles where possible. 4) Monitor logs for unusual activity related to collection modifications, such as users modifying collections they do not own. 5) Educate users about suspicious activity and encourage reporting of unauthorized changes. 6) Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized collection modification attempts. 7) Regularly audit user permissions and session management to prevent abuse by compromised accounts. These steps will help reduce the risk until a full upgrade can be performed.