Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.
Published: 2026-03-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated configuration takeover
Action: Apply Patch
AI Analysis

Impact

A key‑based authentication check is omitted when the CDN plugin’s authentication key remains the default empty string. This allows any user to access the plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php without credentials. The endpoints accept a par request parameter that can be used to mass‑assign configuration values, enabling an attacker to modify the entire CDN configuration, including URLs, storage credentials, and the authentication key itself.

Affected Systems

The vulnerability affects the WWBN AVideo video platform, specifically versions up to and including 26.0, where the CDN plugin endpoints are present.

Risk and Exploitability

The CVSS base score of 8.6 indicates a high severity. The EPSS score is less than 1 %, implying a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker does not need any further authentication or privileged credentials; the flaw is exploitable simply by issuing HTTP requests to the exposed plugin URLs when the CDN plugin is enabled with its default empty key.

Generated by OpenCVE AI on March 25, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to a release that includes commit adeff0a31ba04a56f411eef256139fd7ed7d4310, which restores proper key validation.
  • If an upgrade is not feasible, block access to plugin/CDN/status.json.php and plugin/CDN/disable.json.php in the web server configuration or disable the CDN plugin in the application.
  • After applying the patch or disabling the plugin, set a non‑empty authentication key in the CDN configuration to prevent future bypasses.
  • Review the application’s plugin endpoints periodically to ensure no mass‑assignment vulnerabilities remain.

Generated by OpenCVE AI on March 25, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r64r-883r-wcwh AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.
Title AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:38:32.639Z

Reserved: 2026-03-23T17:06:05.749Z

Link: CVE-2026-33719

cve-icon Vulnrichment

Updated: 2026-03-25T14:38:22.072Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:42.647

Modified: 2026-03-25T14:56:57.593

Link: CVE-2026-33719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:01Z

Weaknesses