Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized video publication bypass
Action: Assess Impact
AI Analysis

Impact

The flaw in WWBN AVideo up through version 26 permits any user with upload rights to supply an overrideStatus request parameter and set a video’s status to any valid state, including the public‑visible "active" state. This action bypasses the administrator‑controlled moderation workflow, allowing unreviewed content to go live without subjecting it to policy checks. The weakness arises because the server validates the status value against an approved list but does not confirm that the caller has permission to apply that status, a classic unauthorized privilege escalation scenario (CWE‑285).

Affected Systems

Affected users are those who have been granted upload permissions on installations of WWBN AVideo running version 26.0 or earlier. Later releases have removed or secured the overrideStatus parameter. The vulnerability only exploits the upload functionality and does not require additional actions beyond creating or editing a video entry. Organizations that allow wide content contribution must review which accounts hold upload rights.

Risk and Exploitability

The CVSS base score of 4.3 places the vulnerability in the low‑moderate range of severity. The EPSS indicates a very low probability of exploitation, with a likelihood of less than 1 %. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the flaw simply by submitting an upload request containing the overrideStatus parameter, without needing further privileges or internal access to the application. The impact is limited to processing videos that bypass moderation, potentially exposing the site to policy‑violating or inappropriate content.

Generated by OpenCVE AI on April 2, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict upload permissions so only trusted users can submit videos.
  • Remove or ignore the overrideStatus parameter from the server‑side upload handling code.
  • Add server‑side checks that allow status changes to "active" only for administrators or users with explicit review rights.
  • Monitor newly published videos for compliance with content policies.
  • Keep the AVideo installation up‑to‑date by checking the WWBN repository for any patch or newer release that corrects the issue.

Generated by OpenCVE AI on April 2, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m577-w9j8-ch7j AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
Title AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:53:23.775Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34738

cve-icon Vulnrichment

Updated: 2026-04-01T15:46:35.881Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:32.410

Modified: 2026-04-01T18:42:05.013

Link: CVE-2026-34738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:36Z

Weaknesses