WWBN AVideo is an open-source video platform that supports password-protected videos to restrict access. In versions up to and including 26.0, the API endpoints get_api_video_file and get_api_video return direct video playback sources such as MP4 URLs and HLS manifests without performing password verification. While the standard web playback flow enforces password protection through the CustomizeUser::getModeYouTube() hook, this authorization check is missing in the API endpoints. Consequently, an unauthenticated attacker can bypass password restrictions by directly invoking these API endpoints, gaining access to the raw video streams. This represents a missing authorization vulnerability classified under CWE-862. The vulnerability impacts confidentiality by exposing protected video content but does not affect integrity or availability. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation (no authentication or user interaction required) and limited impact scope (confidentiality only). The issue has been addressed in a code commit (be344206f2f461c034ad2f1c5d8212dd8a52b8c7), which adds proper authorization checks to the API endpoints. There are no known exploits in the wild at this time.

The primary impact of this vulnerability is unauthorized disclosure of confidential video content that was intended to be protected by passwords. Organizations using AVideo to host sensitive or private videos risk exposure of this content to any unauthenticated attacker who can access the API endpoints. This can lead to privacy violations, intellectual property theft, and reputational damage. Since the vulnerability does not affect video integrity or service availability, the impact is limited to confidentiality breaches. However, for organizations relying on AVideo for secure video delivery—such as educational institutions, media companies, or enterprises sharing proprietary content—the unauthorized access to protected videos can have significant business and legal consequences. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scraping or mass data leakage. Although no exploits are currently known in the wild, the public disclosure and availability of a fix mean attackers could develop exploits rapidly if patches are not applied.

Organizations should immediately upgrade AVideo to a version that includes the fix for CVE-2026-34369 or apply the patch commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 to enforce authorization checks on the get_api_video_file and get_api_video API endpoints. Until patched, administrators should consider disabling or restricting access to these API endpoints via network controls or API gateways to prevent unauthenticated calls. Implementing additional access controls such as IP whitelisting or requiring authentication tokens for API access can mitigate unauthorized retrieval. Monitoring API usage logs for unusual or unauthorized access patterns can help detect exploitation attempts. Reviewing and strengthening overall API security posture, including rate limiting and anomaly detection, is recommended. Finally, organizations should audit all password-protected videos to assess potential exposure and consider reissuing passwords or re-encoding videos if unauthorized access is suspected.