CVE-2026-34369: CWE-862: Missing Authorization in WWBN AVideo
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.
AI Analysis
Technical Summary
CVE-2026-34369 is a missing authorization vulnerability (CWE-862) in WWBN AVideo up to version 26.0. The vulnerability exists because the API endpoints get_api_video_file and get_api_video do not verify the password for password-protected videos before returning direct playback URLs such as MP4 files and HLS manifests. This bypasses the intended access control enforced in the normal web playback flow, allowing unauthenticated attackers to retrieve video playback sources directly via the API. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts confidentiality only. The issue is resolved by a specific code commit that adds the missing authorization checks.
Potential Impact
An unauthenticated attacker can bypass password protection on videos by directly calling vulnerable API endpoints to retrieve direct playback URLs. This leads to unauthorized disclosure of video content, impacting confidentiality. There is no impact on integrity or availability. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available and has been implemented in the codebase as commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7. Users should upgrade to a version that includes this fix or apply the patch from this commit to ensure that API endpoints properly enforce password verification. Since this is not a cloud service, remediation depends on applying the patch or upgrading the affected software.
CVE-2026-34369: CWE-862: Missing Authorization in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34369 is a missing authorization vulnerability (CWE-862) in WWBN AVideo up to version 26.0. The vulnerability exists because the API endpoints get_api_video_file and get_api_video do not verify the password for password-protected videos before returning direct playback URLs such as MP4 files and HLS manifests. This bypasses the intended access control enforced in the normal web playback flow, allowing unauthenticated attackers to retrieve video playback sources directly via the API. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts confidentiality only. The issue is resolved by a specific code commit that adds the missing authorization checks.
Potential Impact
An unauthenticated attacker can bypass password protection on videos by directly calling vulnerable API endpoints to retrieve direct playback URLs. This leads to unauthorized disclosure of video content, impacting confidentiality. There is no impact on integrity or availability. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available and has been implemented in the codebase as commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7. Users should upgrade to a version that includes this fix or apply the patch from this commit to ensure that API endpoints properly enforce password verification. Since this is not a cloud service, remediation depends on applying the patch or upgrading the affected software.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T13:43:14.369Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6d01e3c064ed76fe28e11
Added to database: 3/27/2026, 6:44:46 PM
Last enriched: 4/4/2026, 10:59:10 AM
Last updated: 5/11/2026, 5:25:23 AM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.