Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive permission data exposed
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to query the endpoint "plugin/Permissions/View/Users_groups_permissions/list.json.php" without any authentication or authorization check. This results in the disclosure of the entire permission matrix that maps user groups to plugin capabilities. Because the data reveals which plugins are enabled for each group, an attacker could plan targeted attacks or attempt privilege escalation based on available functionalities. The weakness is a classic example of insufficient privilege checks (CWE-862).

Affected Systems

The issue affects the AVideo video platform developed by WWBN, specifically all releases up to and including version 26.0. Users running these versions are at risk unless they apply the available patch or upgrade to a newer release that contains the fix.

Risk and Exploitability

The CVSS Base Score of 5.3 indicates moderate severity, and the EPSS Score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and no public exploit is known. Attackers could reach the vulnerable endpoint directly over HTTP/HTTPS from anywhere, requiring no credentials. Once accessed, the endpoint returns full permission mappings in JSON format, allowing straightforward data extraction. Consequently, the risk is moderate for exposed data and low for immediate exploitation, but the lack of authentication makes it trivial for a determined adversary.

Generated by OpenCVE AI on March 24, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to a version newer than 26.0 or apply the patch commits b583acdc9a9d1eab461543caa363e1a104fb4516 or dc3c825734628bb32550d0daa125f05bacb6829c that add the missing authentication check to the endpoint.
  • Configure firewall or web‑server rules to block external access to any URL path under /plugin/Permissions/ so that only internal users can reach the controller. This limits the attack surface while the patch is applied.
  • Verify that the endpoint now requires an authenticated admin session by attempting to access it after the upgrade or patch; a 403 forbidden or authentication prompt should appear instead of permission data.

Generated by OpenCVE AI on March 24, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-96qp-8cmq-jvq8 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.
Title AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:18:32.194Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33501

cve-icon Vulnrichment

Updated: 2026-03-25T14:18:26.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T17:16:51.490

Modified: 2026-03-24T18:08:01.460

Link: CVE-2026-33501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:25Z

Weaknesses