CVE-2026-34245: CWE-862: Missing Authorization in WWBN AVideo
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the victim playlist owner's identity, allowing content hijacking and stream disruption. Commit 1e6dc20172de986f60641eb4fdb4090f079ffdce contains a patch.
AI Analysis
Technical Summary
CVE-2026-34245 is a missing authorization vulnerability (CWE-862) in WWBN AVideo up to version 26.0. The vulnerability exists in the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint, which allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform without verifying ownership. When these schedules execute, the rebroadcast runs under the victim playlist owner's identity, enabling content hijacking and disruption of streaming content. The issue is fixed in commit 1e6dc20172de986f60641eb4fdb4090f079ffdce.
Potential Impact
An attacker with streaming permission can hijack content by creating or modifying broadcast schedules for playlists they do not own. This can lead to unauthorized rebroadcasts running under the victim's identity, causing content integrity issues and potential disruption of legitimate streams. The confidentiality, integrity, and availability of the affected playlists are impacted at a low to medium level.
Mitigation Recommendations
A patch addressing this vulnerability is available in commit 1e6dc20172de986f60641eb4fdb4090f079ffdce. Users of WWBN AVideo should apply this patch or upgrade to a version later than 26.0 that includes the fix. Since this is not a cloud service, remediation requires manual patching or upgrading by the user. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-34245: CWE-862: Missing Authorization in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the victim playlist owner's identity, allowing content hijacking and stream disruption. Commit 1e6dc20172de986f60641eb4fdb4090f079ffdce contains a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34245 is a missing authorization vulnerability (CWE-862) in WWBN AVideo up to version 26.0. The vulnerability exists in the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint, which allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform without verifying ownership. When these schedules execute, the rebroadcast runs under the victim playlist owner's identity, enabling content hijacking and disruption of streaming content. The issue is fixed in commit 1e6dc20172de986f60641eb4fdb4090f079ffdce.
Potential Impact
An attacker with streaming permission can hijack content by creating or modifying broadcast schedules for playlists they do not own. This can lead to unauthorized rebroadcasts running under the victim's identity, causing content integrity issues and potential disruption of legitimate streams. The confidentiality, integrity, and availability of the affected playlists are impacted at a low to medium level.
Mitigation Recommendations
A patch addressing this vulnerability is available in commit 1e6dc20172de986f60641eb4fdb4090f079ffdce. Users of WWBN AVideo should apply this patch or upgrade to a version later than 26.0 that includes the fix. Since this is not a cloud service, remediation requires manual patching or upgrading by the user. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-26T16:22:29.034Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6b7823c064ed76fc77dae
Added to database: 3/27/2026, 4:59:46 PM
Last enriched: 4/4/2026, 10:53:42 AM
Last updated: 5/11/2026, 5:07:39 AM
Views: 57
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.