Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized proxy to Instagram Graph API via unauthenticated endpoint
Action: Apply Patch
AI Analysis

Impact

The SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that forwards requests directly to the Instagram Graph API without validating the origin of the request. Parameters such as an access token, container ID, and Instagram account ID are accepted from untrusted users and passed to InstagramUploader::publishMediaIfIsReady(). This enables any internet user to trick the server into making arbitrary Graph API calls, potentially using stolen tokens or the platform’s own credentials. The result can be unwanted posts, data exfiltration, or abuse of the account’s messaging capabilities, reflecting a missing authentication flaw identified by CWE‑862.

Affected Systems

WWBN AVideo, versions 26.0 and earlier, have the vulnerable endpoint. Versions newer than 26.0 are presumed to have the vulnerability remedied.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity. Because the endpoint accepts requests without authentication, an attacker only needs to issue a simple HTTP call to publishInstagram.json.php to exploit the flaw. The EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been documented, yet the low barrier to entry poses a real threat to systems that rely on this plugin.

Generated by OpenCVE AI on April 7, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to version newer than 26.0 where the proxy endpoint is removed or secured.
  • If an upgrade is not possible, uninstall or disable the SocialMediaPublisher plugin to eliminate the exposed API.
  • Restrict access to publishInstagram.json.php by implementing HTTP authentication or IP whitelisting until a patch is applied.
  • Monitor web server logs for unusual requests to the endpoint and verify that no unauthorized media is being posted to Instagram.
  • As a temporary safeguard, enforce server-side validation of access tokens and refuse to forward requests that use external or unverified tokens.

Generated by OpenCVE AI on April 7, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x9w5-xccw-5h9w AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials.
Title WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:14:54.142Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35179

cve-icon Vulnrichment

Updated: 2026-04-07T16:14:51.023Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T20:16:26.080

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:36Z

Weaknesses