WWBN AVideo is an open-source video platform used for video hosting and streaming. In versions 26.0 and prior, a vulnerability identified as CVE-2026-34738 (CWE-285: Improper Authorization) exists in the video processing pipeline. Specifically, the system accepts an overrideStatus request parameter that allows users with upload permissions to set a video's status to any valid state, including 'active'. The setStatus() method validates that the status code is among known valid values but fails to verify whether the user has the necessary authorization to assign that status. This flaw enables any uploader to bypass the intended admin-controlled moderation and draft workflows, effectively publishing videos directly without review. The vulnerability does not require user interaction beyond having upload rights, and no authentication bypass is involved since upload permissions are required. At the time of disclosure, no patches or fixes have been publicly released. The CVSS 3.1 base score is 4.3, indicating a medium severity primarily due to the limited scope of impact (integrity only) and the requirement of authenticated upload privileges. No exploits have been observed in the wild, but the vulnerability poses a risk to content integrity and moderation controls in affected deployments.

The primary impact of this vulnerability is on the integrity of video content management within affected AVideo platforms. Attackers or unauthorized users with upload permissions can circumvent moderation controls and publish potentially inappropriate, malicious, or unauthorized videos directly. This undermines content governance, potentially exposing organizations to reputational damage, regulatory compliance issues, or the spread of harmful content. While confidentiality and availability are not directly impacted, the loss of control over published content can have significant operational and legal consequences, especially for organizations relying on strict content review processes. The vulnerability affects all organizations using AVideo versions 26.0 or earlier, particularly those with multiple upload users or open upload policies. Since no patches are available, the risk remains until mitigations are applied or updates released.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict upload permissions strictly to trusted users and minimize the number of users with upload rights. 2) Implement additional access controls or custom validation on the server side to enforce status change authorization, possibly by modifying or extending the setStatus() method to verify user roles before allowing status changes. 3) Monitor and audit upload activities and video status changes closely to detect unauthorized publishing attempts. 4) Consider disabling or restricting the overrideStatus parameter if possible through configuration or code changes. 5) Educate users and administrators about the risk and enforce strict content review policies outside the platform if feasible. 6) Track vendor communications for patches or updates and plan timely application once available. 7) If feasible, deploy web application firewalls (WAFs) or API gateways to detect and block suspicious overrideStatus parameter usage.