CVE-2026-34364 - Vulnerability Details

- AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix.

Published: 2026-03-27

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the categories.json.php endpoint of the WWBN AVideo platform. The endpoint is intended to list categories with user‑group‑based access control. In affected versions (up to 26.0), the access check is bypassed when no user parameter is supplied, and even when a user parameter is supplied, a type confusion bug causes the filter to use the admin user’s group memberships. This results in the exposure of all non‑private categories, including those that should be restricted to specific user groups. The weakness is a missing or broken access control (CWE‑863) that allows an attacker to gather information about restricted content without proper authorization.

Affected Systems

The affected product is the WWBN AVideo platform. Versions up to and including 26.0 are impacted. The vulnerability affects the categories.json.php endpoint that serves the category listing API.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Because the categories.json.php endpoint can be invoked without authentication, an attacker can easily request the API and observe the unfiltered category list. The attack vector is by sending HTTP GET requests to categories.json.php, optionally with a user query string. No further exploitation steps are required. The lack of authentication combined with the missing access control makes the vulnerability straightforward to exploit, leading to unauthorized disclosure of category metadata.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch that includes commit 6e8a673e to fix the missing group filtering and type confusion bug.

Generated by OpenCVE AI on March 27, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9
https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4

History

Fri, 27 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix.
Title		AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Weaknesses		CWE-863
References		https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9 https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T18:11:05.866Z

Updated: 2026-03-27T19:56:56.507Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34364

Vulnrichment

Updated: 2026-03-27T18:43:03.947Z

NVD

Status : Received

Published: 2026-03-27T18:16:05.570

Modified: 2026-03-27T20:16:35.520

Link: CVE-2026-34364

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:52Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object