Description
Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.
Published: 2026-03-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

The vulnerability in Wowza Streaming Engine 4.5.0 allows an authenticated user with read‑only permissions to elevate their privileges to administrator by manipulating POST parameters sent to the user edit endpoint. By setting the `accessLevel` field to `admin` and enabling `advUser` parameters, an attacker can execute the request and gain full administrative control over the streaming platform. This escalation can lead to unauthorized configuration changes, stream creation, deletion, or other administrative actions. The weakness is identified as CWE‑352 (Cross‑Site Request Forgery).

Affected Systems

Affected products are Wowza Media Systems, LLC’s Wowza Streaming Engine, specifically version 4.5.0. The vulnerability is present only in that version; no other affected versions are listed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score of less than 1% suggests low public exploit probability, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires an authenticated read‑only user account, which can be obtained through compromised credentials or social engineering. Once logged in, the attacker crafts a POST request to the `/userEdit` endpoint with the specified parameters. No additional local privileges are needed beyond the initial authentication, making the exploit straightforward for an attacker with network access to the management interface.

Generated by OpenCVE AI on March 19, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wowza Streaming Engine to a patched version.
  • If upgrade is delayed, block POST requests to the /userEdit endpoint from non‑administrative sources or apply network segmentation to isolate the management interface.
  • Enable logging and monitor for suspicious POST activity targeting user edit functionality.

Generated by OpenCVE AI on March 19, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 15 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.
Title Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit
First Time appeared Wowza
Wowza streaming Engine
Weaknesses CWE-352
CPEs cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*
Vendors & Products Wowza
Wowza streaming Engine
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wowza Streaming Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:30:30.300Z

Reserved: 2026-03-15T18:22:05.054Z

Link: CVE-2016-20034

cve-icon Vulnrichment

Updated: 2026-03-16T14:21:03.969Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:50.507

Modified: 2026-03-19T14:16:48.250

Link: CVE-2016-20034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:24Z

Weaknesses