CVE-2026-34245: Missing Authorization and IDOR in WWBN AVideo PlayLists Plugin
Vulnerability ID: CVE-2026-34245
CVSS Score: 6.3
Published: 2026-03-29
WWBN AVideo versions 26.0 and prior suffer from a missing authorization vulnerability within the PlayLists plugin. The add.json.php endpoint fails to validate whether an authenticated user possesses management rights over target playlist schedules. This oversight allows low-privileged attackers with basic streaming permissions to forge schedule entries, leading to unauthorized cross-user broadcast hijacking and stream disruption.
TL;DR
An Insecure Direct Object Reference (IDOR) flaw in WWBN AVideo <= 26.0 allows authenticated users to create or modify broadcast schedules for any playlist. Attackers can hijack live streams and displace content by sending crafted POST requests to the vulnerable add.json.php endpoint.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862, CWE-639
- Attack Vector: Network
- CVSS Score: 6.3 (Medium)
- EPSS Percentile: 9.88%
- Impact: Cross-User Broadcast Hijacking
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo <= 26.0
-
AVideo: <= 26.0 (Fixed in:
26.1)
Code Analysis
Commit: 1e6dc20
Add authorization checks to Playlists_schedules add.json.php
Mitigation Strategies
- Upgrade to WWBN AVideo version 26.1 or later
- Implement application-aware WAF rules to validate payload ownership
- Audit existing playlist schedules for anomalous or unauthorized entries
Remediation Steps:
- Identify all active WWBN AVideo installations
- Verify the current version is <= 26.0
- Download the latest release or apply commit 1e6dc20172de986f60641eb4fdb4090f079ffdce manually
- Restart web services and clear application caches
- Review cron jobs and schedule logs for indicators of compromise
References
- GitHub Advisory: GHSA-2rm7-j397-3fqg
- Fix Commit: 1e6dc20172de986f60641eb4fdb4090f079ffdce
- NVD Record for CVE-2026-34245
- CVE.org Record
- TheHackerWire Alert
Read the full report for CVE-2026-34245 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)