CVE-2026-40907 - Vulnerability Details

- WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.

Published: 2026-04-21

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

WWBN AVideo, an open source video platform, has an IDOR flaw in the Live restream list endpoint that lets any authenticated user with streaming permission view other users’ live restream configurations. The data exposed includes third‑party platform stream keys and OAuth tokens for YouTube Live, Facebook Live, and Twitch, which could be used to hijack streams or impersonate channels. CWE‑639 indicates that the vulnerability arises from improper authorization controls.

Affected Systems

Versions of WWBN AVideo up to and including 29.0 are affected. The issue specifically targets the plugin/Live/view/Live_restreams/list.json.php endpoint, which collects configuration data for live restreams. Users running an affected version of the open source platform should verify their installation against the latest code release.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, reflecting moderate severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated and to have streaming permissions, after which they can directly fetch the target data through the vulnerable endpoint. The most likely attack vector is an internal user or compromised account leveraging normal streaming privileges to request or export the configuration of other users. Given the sensitivity of stream keys and OAuth tokens, any successful exploitation can lead to significant account compromise and service disruptions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 29.0`	affected	—

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,29.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest AVideo release or apply the patch commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 that fixes the IDOR issue.
Reduce the number of users with streaming permission to only trusted individuals and review existing permissions regularly.
Generate new stream keys and OAuth tokens for all impacted accounts and revoke the potentially exposed credentials to prevent relay attacks.

Generated by OpenCVE AI on April 22, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7
https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7

History

Wed, 22 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
Title		WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens
Weaknesses		CWE-639
References		https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7 https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T19:50:10.257Z

Updated: 2026-04-21T20:06:56.844Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40907

Vulnrichment

Updated: 2026-04-21T20:06:45.511Z

NVD

Status : Awaiting Analysis

Published: 2026-04-21T20:17:03.080

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40907

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object