Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Video Content
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the API endpoints that return full playback URLs for password‑protected videos without verifying the password. This means an attacker can obtain direct MP4 or HLS URLs to bypass the intended privacy controls. The weakness is a missing authentication check, which falls under the typical ‘Missing Authorization’ pattern. An attacker who succeeds can view, download, or redistribute content that was meant to be restricted, compromising confidentiality and potentially violating licensing agreements.

Affected Systems

The issue affects the WWBN AVideo open‑source platform, specifically versions up to and including 26.0. Any deployment using these versions that hosts password‑protected videos is vulnerable. The vulnerability originates in the get_api_video_file and get_api_video API endpoints governed by the getModeYouTube() hook for web playback, which is not applied here.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % suggests low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by making unauthenticated API calls to the vulnerable endpoints, directly retrieving playback URLs without providing any credentials. The lack of authentication checks in the API path is the key exploit path; no additional prerequisites beyond access to the API are indicated by the description.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix by updating AVideo to a version newer than 26.0 or by applying the patch commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7
  • Restrict unauthenticated access to the get_api_video_file and get_api_video endpoints using a firewall or reverse‑proxy rule
  • Verify that password protection enforcement works for all playback URLs after applying the fix
  • Monitor API usage for any unauthorized attempts to retrieve video URLs

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6jj-r49p-94fh AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
History

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.
Title AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T19:03:08.076Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34369

cve-icon Vulnrichment

Updated: 2026-03-30T19:03:00.258Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:42.737

Modified: 2026-03-31T18:50:13.923

Link: CVE-2026-34369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:31Z

Weaknesses