CVE-2026-34395: CWE-862: Missing Authorization in WWBN AVideo
CVE-2026-34395 is a medium severity missing authorization vulnerability in WWBN AVideo versions 26. 0 and earlier. The flaw exists in the plugin/YPTWallet/view/users. json. php endpoint, which returns the full user database including personal information and wallet balances to any authenticated user. The endpoint only verifies that the requester is logged in but fails to check for administrative privileges, allowing any registered user to access sensitive data of all platform users. No public patches are available at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability impacts confidentiality but does not affect integrity or availability. Exploitation requires authentication but no user interaction beyond login. Organizations using vulnerable versions of AVideo should restrict access to this endpoint and monitor for suspicious activity until a patch is released.
AI Analysis
Technical Summary
CVE-2026-34395 is a missing authorization vulnerability classified under CWE-862 affecting WWBN AVideo, an open-source video platform. In versions 26.0 and prior, the endpoint plugin/YPTWallet/view/users.json.php improperly authorizes access to sensitive user data. While it verifies that the requester is authenticated via User::isLogged(), it neglects to verify if the user has administrative privileges (User::isAdmin()). Consequently, any authenticated user can retrieve a JSON response containing the entire user database, including personal details and wallet balances. This exposure compromises user confidentiality and privacy. The vulnerability does not require user interaction beyond authentication and is remotely exploitable over the network with low attack complexity. The CVSS v3.1 base score is 6.5, reflecting a medium severity due to high confidentiality impact but no impact on integrity or availability. At the time of publication, no patches or mitigations have been officially released by WWBN. There are no known exploits in the wild, but the vulnerability poses a significant risk to platforms running vulnerable versions, especially those with large user bases or sensitive wallet data. The flaw highlights the importance of enforcing proper authorization checks beyond simple authentication in web application endpoints that expose sensitive data.
Potential Impact
The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information and wallet balances to any authenticated user on the platform. This breach of confidentiality can lead to privacy violations, identity theft, and financial information exposure. Organizations operating AVideo platforms risk reputational damage, loss of user trust, and potential regulatory penalties related to data protection laws such as GDPR or CCPA. Although the vulnerability does not affect data integrity or system availability, the exposure of wallet balances could facilitate targeted fraud or social engineering attacks. The ease of exploitation—requiring only valid user credentials—means that insider threats or compromised accounts can readily abuse this flaw. Platforms with large or high-value user bases are particularly vulnerable to significant data leakage. Until a patch is available, the risk of data exfiltration remains high, especially if attackers gain access to any user account.
Mitigation Recommendations
Given the absence of official patches, organizations should implement immediate compensating controls. These include restricting access to the vulnerable endpoint via web application firewalls (WAFs) or network-level controls to allow only trusted administrative IPs. Review and tighten user role permissions to minimize the number of accounts with access to sensitive data. Monitor logs for unusual access patterns to the users.json.php endpoint or bulk data requests. Consider temporarily disabling or removing the YPTWallet plugin if feasible. Enforce strong authentication mechanisms and account monitoring to reduce the risk of compromised user credentials. Engage with WWBN for updates on patch releases and apply them promptly once available. Additionally, conduct security audits of other endpoints to ensure proper authorization checks are consistently implemented. Educate users about phishing and credential security to prevent account takeover.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, Japan, South Korea, India
CVE-2026-34395: CWE-862: Missing Authorization in WWBN AVideo
Description
CVE-2026-34395 is a medium severity missing authorization vulnerability in WWBN AVideo versions 26. 0 and earlier. The flaw exists in the plugin/YPTWallet/view/users. json. php endpoint, which returns the full user database including personal information and wallet balances to any authenticated user. The endpoint only verifies that the requester is logged in but fails to check for administrative privileges, allowing any registered user to access sensitive data of all platform users. No public patches are available at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability impacts confidentiality but does not affect integrity or availability. Exploitation requires authentication but no user interaction beyond login. Organizations using vulnerable versions of AVideo should restrict access to this endpoint and monitor for suspicious activity until a patch is released.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34395 is a missing authorization vulnerability classified under CWE-862 affecting WWBN AVideo, an open-source video platform. In versions 26.0 and prior, the endpoint plugin/YPTWallet/view/users.json.php improperly authorizes access to sensitive user data. While it verifies that the requester is authenticated via User::isLogged(), it neglects to verify if the user has administrative privileges (User::isAdmin()). Consequently, any authenticated user can retrieve a JSON response containing the entire user database, including personal details and wallet balances. This exposure compromises user confidentiality and privacy. The vulnerability does not require user interaction beyond authentication and is remotely exploitable over the network with low attack complexity. The CVSS v3.1 base score is 6.5, reflecting a medium severity due to high confidentiality impact but no impact on integrity or availability. At the time of publication, no patches or mitigations have been officially released by WWBN. There are no known exploits in the wild, but the vulnerability poses a significant risk to platforms running vulnerable versions, especially those with large user bases or sensitive wallet data. The flaw highlights the importance of enforcing proper authorization checks beyond simple authentication in web application endpoints that expose sensitive data.
Potential Impact
The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information and wallet balances to any authenticated user on the platform. This breach of confidentiality can lead to privacy violations, identity theft, and financial information exposure. Organizations operating AVideo platforms risk reputational damage, loss of user trust, and potential regulatory penalties related to data protection laws such as GDPR or CCPA. Although the vulnerability does not affect data integrity or system availability, the exposure of wallet balances could facilitate targeted fraud or social engineering attacks. The ease of exploitation—requiring only valid user credentials—means that insider threats or compromised accounts can readily abuse this flaw. Platforms with large or high-value user bases are particularly vulnerable to significant data leakage. Until a patch is available, the risk of data exfiltration remains high, especially if attackers gain access to any user account.
Mitigation Recommendations
Given the absence of official patches, organizations should implement immediate compensating controls. These include restricting access to the vulnerable endpoint via web application firewalls (WAFs) or network-level controls to allow only trusted administrative IPs. Review and tighten user role permissions to minimize the number of accounts with access to sensitive data. Monitor logs for unusual access patterns to the users.json.php endpoint or bulk data requests. Consider temporarily disabling or removing the YPTWallet plugin if feasible. Enforce strong authentication mechanisms and account monitoring to reduce the risk of compromised user credentials. Engage with WWBN for updates on patch releases and apply them promptly once available. Additionally, conduct security audits of other endpoints to ensure proper authorization checks are consistently implemented. Educate users about phishing and credential security to prevent account takeover.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T13:45:29.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc343ee6bfc5ba1d4033d5
Added to database: 3/31/2026, 8:53:18 PM
Last enriched: 3/31/2026, 9:09:05 PM
Last updated: 3/31/2026, 9:54:36 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.