CVE-2026-34369 - Vulnerability Details

- AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.

Published: 2026-03-27

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an unauthenticated caller of AVideo's API endpoints to obtain direct video playback URLs for content that is otherwise protected by a password. Because the API path does not perform the same password check that the normal web player uses, the attacker can retrieve the full MP4 and HLS stream locations and play them without any credential. This results in unauthorized disclosure of the protected video media and undermines the platform's privacy controls. The weakness is a missing authorization check (CWE-862).

Affected Systems

AVideo, the open source video platform maintained by WWBN, is affected in all released versions up to and including 26.0. Users running any of these versions and relying on the protected-video feature should verify which version they are using. Later revisions after the fix are not impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk, and the absence of network restriction means any external actor can call the API without authentication. Because the vulnerability does not rely on a complex condition or privilege escalation, it is relatively easy to exploit, subject to the availability of the video ID, which is generally public. Although the vulnerability is not presently listed in CISA's KEV catalog and EPSS data are not available, the straightforward nature of the attack and the potential for privacy loss make immediate remediation advisable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AVideo to a version newer than 26.0 that includes the authentication check for the API endpoints.
If an upgrade is not feasible immediately, restrict or guard the get_api_video and get_api_video_file endpoints so that only authenticated requests can retrieve playback URLs.
Test the API after applying changes to confirm that password-protected videos no longer return playback URLs to unauthenticated callers.

Generated by OpenCVE AI on March 27, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/WWBN/AVideo/commit/be344206f2f461c034ad2f1c5d8212dd8a52b8c7
https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh

History

Fri, 27 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.
Title		AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Weaknesses		CWE-862
References		https://github.com/WWBN/AVideo/commit/be344206f2f461c034ad2f1c5d8212dd8a52b8c7 https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T18:13:23.534Z

Updated: 2026-03-27T18:13:23.534Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34369

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T19:16:42.737

Modified: 2026-03-27T19:16:42.737

Link: CVE-2026-34369

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:50Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object