CVE-2026-30885 identifies a missing authentication vulnerability in the WWBN AVideo open source video platform, specifically affecting versions prior to 25.0. The vulnerability exists in the /objects/playlistsFromUser.json.php endpoint, which returns all playlists associated with any user without requiring authentication or authorization. This means an unauthenticated attacker can enumerate user IDs and retrieve sensitive playlist information such as playlist names, video IDs, and playlist statuses. The root cause is a lack of access control enforcement on a critical function, categorized under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization). The vulnerability has a CVSS 4.0 base score of 5.5 (medium severity), reflecting that it is remotely exploitable without authentication or user interaction, but the impact is limited to confidentiality loss of playlist metadata without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date. The issue was addressed and fixed in AVideo version 25.0 by implementing proper authentication and authorization checks on the affected endpoint. This vulnerability primarily exposes user playlist data, which could be leveraged for user enumeration, privacy violations, or reconnaissance by attackers targeting the platform or its users.

The primary impact of CVE-2026-30885 is the unauthorized disclosure of user playlist information, including playlist names, video IDs, and statuses. This can lead to privacy violations for users of the platform, as attackers can gather detailed data about user activity and preferences without any authentication. While the vulnerability does not allow modification or deletion of data, the exposure of user-related metadata can facilitate targeted social engineering, user enumeration, or further attacks against the platform or its users. Organizations relying on WWBN AVideo for video hosting or streaming services may suffer reputational damage and loss of user trust if such data is leaked. Additionally, attackers could use the exposed information to map the platform’s user base and content structure, aiding in more sophisticated attacks. Although the vulnerability does not directly impact system integrity or availability, the confidentiality breach is significant for platforms handling sensitive or proprietary video content. The lack of authentication requirements also indicates potential gaps in the platform’s security posture that could be exploited in other ways.

To mitigate CVE-2026-30885, organizations should immediately upgrade WWBN AVideo to version 25.0 or later, where the vulnerability has been fixed by enforcing authentication and authorization on the /objects/playlistsFromUser.json.php endpoint. Until the upgrade is applied, administrators should consider restricting access to the affected endpoint via network-level controls such as firewall rules or API gateways to limit exposure to trusted users only. Implementing strong authentication mechanisms (e.g., OAuth, API keys) and role-based access control (RBAC) on all API endpoints is critical to prevent unauthorized data access. Regularly audit and monitor API access logs to detect unusual or unauthorized requests targeting playlist data. Additionally, conduct a comprehensive security review of other API endpoints to ensure no similar missing authentication issues exist. Educate developers on secure coding practices to avoid missing authentication and authorization checks on critical functions. Finally, inform users about the potential privacy risks and encourage them to report any suspicious activity related to their accounts.