Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows any visitor, including those who are not logged in, to request two specific endpoints in the AVideo application. One endpoint accepts an arbitrary isCompany flag and internally flips a guard that normally limits user data to administrators. The second endpoint accepts a users_id identifier and returns detailed information about the requested user without checking permissions. Both paths expose the complete list of registered accounts, including identifiers, display names, channel URLs, profile images, background settings, status messages, and the total number of accounts. The result is a full oracle of user information that can be harvested by an attacker.

Affected Systems

WWBN AVideo releases up to and including version 29.0 are affected. Users running any build derived from those versions are susceptible to the two unauthenticated data‑exposure paths. The vulnerability was addressed in a commit published on the AVideo repository, which updates the underlying logic to enforce proper access checks.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the medium severity range. EPSS data is not available, indicating no public exploitation statistics, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is straightforward: an attacker simply sends an HTTP GET request to the exposed endpoints from any network reachability angle. No authentication or privilege escalation is required, so discovery and execution can occur with minimal effort. The risk is primarily the accidental or intentional collection of user data, which can be leveraged for phishing or social engineering attacks. In the absence of active exploitation reports, the probability of exploitation remains low to moderate, but the potential impact on privacy makes remediation important.

Generated by OpenCVE AI on May 11, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version that includes the commit d9cdc702481a626b15f814f6093f1e2a9c20d375 or later, which restores the admin‑only guard and removes the unsecured user lookup endpoint.
  • Configure the web server or application firewall to deny HTTP requests to /objects/users.json.php for unauthenticated users or launch a temporary block on the endpoint until the patch is deployed.
  • Monitor access logs for unexpected calls to the two endpoints and audit for any data harvesting activity.

Generated by OpenCVE AI on May 11, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6rvw-7p8v-mjfq AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.
Title WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:23:37.055Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43881

cve-icon Vulnrichment

Updated: 2026-05-12T13:23:33.749Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:12.667

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:05Z

Weaknesses