CVE-2026-40907: CWE-639: Authorization Bypass Through User-Controlled Key in WWBN AVideo
WWBN AVideo versions 29. 0 and earlier contain an authorization bypass vulnerability (CVE-2026-40907) in the endpoint plugin/Live/view/Live_restreams/list. json. php. This Insecure Direct Object Reference (IDOR) flaw allows any authenticated user with streaming permission to access other users' live restream configurations, including sensitive third-party platform stream keys and OAuth tokens for services such as YouTube Live, Facebook Live, and Twitch. The vulnerability has a CVSS score of 6. 5, indicating medium severity. A code commit (d5992fff2811df4adad1d9fc7d0a5837b882aed7) reportedly fixes the issue, but no official patch or vendor advisory is provided in the data. No known exploits are reported in the wild. The product is not a cloud service, so remediation depends on applying the fix in affected versions.
AI Analysis
Technical Summary
CVE-2026-40907 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting WWBN AVideo versions 29.0 and prior. The vulnerability exists in the plugin/Live/view/Live_restreams/list.json.php endpoint, where authenticated users with streaming permission can retrieve live restream configurations belonging to other users. This includes sensitive credentials such as third-party platform stream keys and OAuth tokens (access_token, refresh_token) for YouTube Live, Facebook Live, and Twitch. The issue is an Insecure Direct Object Reference (IDOR) that allows unauthorized data access. A specific commit has been identified as a fix, but no formal vendor advisory or patch link is provided. The CVSS 3.1 base score is 6.5, reflecting a medium severity impact primarily on confidentiality.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive live streaming configuration data, including third-party platform stream keys and OAuth tokens. This exposure could lead to unauthorized use or hijacking of affected users' streaming accounts on platforms like YouTube Live, Facebook Live, and Twitch. There is no indication of impact on integrity or availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
A code commit (d5992fff2811df4adad1d9fc7d0a5837b882aed7) fixes the vulnerability. However, no official vendor advisory or patch release information is provided. Users of WWBN AVideo version 29.0 or earlier should update to a version including this fix once available or apply the fix from the referenced commit. Since this is not a cloud service, remediation requires manual patching or upgrading by the user. Patch status is not yet confirmed — check the vendor advisory or official WWBN channels for current remediation guidance.
CVE-2026-40907: CWE-639: Authorization Bypass Through User-Controlled Key in WWBN AVideo
Description
WWBN AVideo versions 29. 0 and earlier contain an authorization bypass vulnerability (CVE-2026-40907) in the endpoint plugin/Live/view/Live_restreams/list. json. php. This Insecure Direct Object Reference (IDOR) flaw allows any authenticated user with streaming permission to access other users' live restream configurations, including sensitive third-party platform stream keys and OAuth tokens for services such as YouTube Live, Facebook Live, and Twitch. The vulnerability has a CVSS score of 6. 5, indicating medium severity. A code commit (d5992fff2811df4adad1d9fc7d0a5837b882aed7) reportedly fixes the issue, but no official patch or vendor advisory is provided in the data. No known exploits are reported in the wild. The product is not a cloud service, so remediation depends on applying the fix in affected versions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40907 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting WWBN AVideo versions 29.0 and prior. The vulnerability exists in the plugin/Live/view/Live_restreams/list.json.php endpoint, where authenticated users with streaming permission can retrieve live restream configurations belonging to other users. This includes sensitive credentials such as third-party platform stream keys and OAuth tokens (access_token, refresh_token) for YouTube Live, Facebook Live, and Twitch. The issue is an Insecure Direct Object Reference (IDOR) that allows unauthorized data access. A specific commit has been identified as a fix, but no formal vendor advisory or patch link is provided. The CVSS 3.1 base score is 6.5, reflecting a medium severity impact primarily on confidentiality.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive live streaming configuration data, including third-party platform stream keys and OAuth tokens. This exposure could lead to unauthorized use or hijacking of affected users' streaming accounts on platforms like YouTube Live, Facebook Live, and Twitch. There is no indication of impact on integrity or availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
A code commit (d5992fff2811df4adad1d9fc7d0a5837b882aed7) fixes the vulnerability. However, no official vendor advisory or patch release information is provided. Users of WWBN AVideo version 29.0 or earlier should update to a version including this fix once available or apply the fix from the referenced commit. Since this is not a cloud service, remediation requires manual patching or upgrading by the user. Patch status is not yet confirmed — check the vendor advisory or official WWBN channels for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T16:37:22.767Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7d78519fe3cd2cdf5b331
Added to database: 4/21/2026, 8:01:09 PM
Last enriched: 4/21/2026, 8:17:03 PM
Last updated: 4/21/2026, 9:53:37 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.