CVE-2026-34245
Privilege Escalation via Broadcast Schedule Manipulation in WWBN AVideo
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to create or modify broadcast schedules on playlists they do not own, leading to content hijacking, stream disruption, and identity abuse. This unauthorized access and manipulation of user content and identity could potentially violate data protection and privacy regulations such as GDPR and HIPAA, which require strict controls over access to personal data and user consent.
Specifically, the unauthorized rebroadcasts run under the victim playlist owner's identity, which may lead to misuse of personal data or content, impacting confidentiality and integrity requirements mandated by these regulations.
Although the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the nature of the vulnerabilityβunauthorized access and manipulation of user content and identityβimplies a risk of non-compliance with such regulations.
Can you explain this vulnerability to me?
CVE-2026-34245 is a missing authorization vulnerability in the WWBN AVideo platform up to version 26.0. It affects the endpoint responsible for creating or modifying broadcast schedules for playlists. Any authenticated user with streaming permission can create or change schedules targeting any playlist on the platform without verifying if they own or manage that playlist.
Because the platform does not check playlist ownership before allowing schedule modifications, attackers can hijack broadcasts by scheduling rebroadcasts that run under the victim playlist owner's identity. This allows unauthorized users to manipulate content and disrupt streams.
How can this vulnerability impact me? :
This vulnerability can impact you in several ways if you use the affected WWBN AVideo platform:
- Content Hijacking: Attackers can force broadcasts of your playlists, including private or paid streams, without your consent.
- Stream Disruption: Unauthorized scheduled rebroadcasts can interfere with your legitimate live streams.
- Identity Abuse: Rebroadcasts appear as if they were initiated by you, the playlist owner, potentially damaging your reputation.
- Resource Consumption: Attackers can consume your server bandwidth by scheduling unwanted broadcasts.
- Schedule Tampering: Existing broadcast schedules can be modified or redirected by unauthorized users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the playlist schedule creation and modification endpoint at `plugin/PlayLists/View/Playlists_schedules/add.json.php` for unauthorized access.
Specifically, you can attempt to create or modify broadcast schedules targeting playlists you do not own while authenticated as a user with streaming permissions. If the system allows such actions without ownership verification, it is vulnerable.
Suggested commands include sending POST requests to the vulnerable endpoint with playlist IDs that belong to other users and checking if the requests succeed.
- Use curl to test schedule creation for another user's playlist: curl -X POST -d "playlists_id=<victim_playlist_id>&name=TestSchedule&start_datetime=2026-01-01T00:00:00&finish_datetime=2026-01-01T01:00:00" -b cookies.txt https://your-avideo-instance/plugin/PlayLists/View/Playlists_schedules/add.json.php
- Attempt to modify an existing schedule by including its ID in the POST data and observe if the modification is allowed without ownership.
If these requests succeed without ownership validation errors, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patch that adds ownership verification checks to the playlist schedule management endpoint.
Specifically, ensure that the `add.json.php` endpoint verifies that the authenticated user has management rights over the target playlist before allowing schedule creation or modification.
If patching is not immediately possible, restrict access to the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint to trusted users only or disable the PlayLists plugin temporarily.
- Apply the patch from commit 1e6dc20172de986f60641eb4fdb4090f079ffdce which enforces ownership checks.
- Verify that users have streaming permissions and management rights before allowing schedule creation or modification.
- Monitor logs for unauthorized schedule creation or modification attempts.