Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Category Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability resides in the categories.json.php endpoint of the WWBN AVideo platform, which is responsible for providing a list of video categories. The code fails to enforce user group‑based access controls: with no user parameter the filter is entirely omitted, returning all non‑private categories, including those intended for specific groups. When a ?user= parameter is supplied a type‑confusion bug causes the filter to use the administrator’s group membership (user_id=1) instead of the requested user’s, rendering the restriction ineffective. In either case the end result is that categories that should be hidden from certain users become publicly listed, thereby permitting the disclosure of restricted grouping information. The description does not explicitly state whether authenticated or unauthenticated requests are required to reach the endpoint; based on the wording it is inferred that the API may be reachable without authentication, but the exact authentication model is not documented.

Affected Systems

This flaw affects all released versions of WWBN AVideo up to and including 26.0. The affected component is the categories.json.php API, which serves the category listing data for the application.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests low likelihood of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote HTTP requests directed at the categories.json.php endpoint; the attacker does not need to compromise the host or execute arbitrary code. The impact is confined to unauthorized information disclosure of categories and does not provide privilege escalation or further system compromise.

Generated by OpenCVE AI on April 14, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to any version newer than 26.0 or apply the patch from commit 6e8a673e.
  • If an upgrade is not possible, restrict access to categories.json.php behind authentication and enforce group checks manually at the application level.
  • Verify that the group filtering operates correctly by testing category visibility for different user roles after applying the fix.
  • Monitor web logs for suspicious category requests that may indicate exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-73gr-r64q-7jh4 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
History

Tue, 14 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix.
Title AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:56:56.507Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34364

cve-icon Vulnrichment

Updated: 2026-03-27T18:43:03.947Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T18:16:05.570

Modified: 2026-04-14T01:22:38.370

Link: CVE-2026-34364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:38Z

Weaknesses