CVE-2026-34364
Received Received - Intake
Access Control Bypass in WWBN AVideo categories.json.php Endpoint

Publication date: 2026-03-27

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34364
EUVD
EUVD-2026-16732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34364 is a vulnerability in the WWBN AVideo open source video platform (versions up to 26.0) affecting the categories.json.php endpoint, which serves the category listing API.

The vulnerability arises because the endpoint fails to enforce user group-based access controls properly. When no user parameter is provided in the request, the filtering by user groups is completely skipped, exposing all non-private categories, including those restricted to specific user groups.

When the user parameter is supplied, a type confusion bug causes the system to use the admin user's group memberships instead of the current user's, making the filtering ineffective and exposing restricted categories.

This means unauthorized users can see categories they should not have access to, including metadata about which groups categories are restricted to.

Compliance Impact

The vulnerability in WWBN AVideo allows unauthorized users to bypass user group-based access controls and enumerate restricted categories, exposing internal access control configurations. This information disclosure could potentially lead to unauthorized access to sensitive metadata about category restrictions.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the exposure of access control information and potential unauthorized data access could raise concerns under these regulations, which require protection of sensitive data and proper access controls.

Therefore, this vulnerability may negatively impact compliance with data protection regulations by failing to adequately restrict access to category metadata, which could be considered sensitive depending on the context of the data hosted on the platform.

Impact Analysis

This vulnerability allows any unauthenticated or unauthorized user to bypass intended access controls and enumerate all non-private categories, including those restricted to specific user groups.

As a result, sensitive information about category restrictions and internal access control configurations is disclosed.

This information disclosure can facilitate further targeted attacks or unauthorized access attempts on videos within those restricted categories.

The vulnerability has a medium severity rating with a CVSS score of 5.3, indicating a moderate risk primarily due to information disclosure rather than direct content compromise.

Detection Guidance

This vulnerability can be detected by attempting to access the categories listing API endpoint without authentication and observing if restricted categories are exposed.

Specifically, sending a request to the `categories.json.php` endpoint without the `?user=` parameter should not return categories restricted to specific user groups. If it does, the system is vulnerable.

Additionally, sending a request with the `?user=1` parameter and checking if the response incorrectly applies admin user group filtering can indicate the presence of the type confusion bug.

  • Use a command like: `curl -s 'http://<your-avideo-domain>/objects/categories.json.php'` and check if restricted categories are listed.
  • Use a command like: `curl -s 'http://<your-avideo-domain>/objects/categories.json.php?user=1'` and verify if the filtering is incorrectly applied using admin groups.
Mitigation Strategies

The immediate mitigation step is to update the wwbn/AVideo platform to a version that includes the fix for CVE-2026-34364.

The fix involves modifying the category listing API to always apply user group filtering based on the actual logged-in user's ID, or a sentinel value for guests, preventing unauthorized access to restricted categories.

If updating immediately is not possible, restrict access to the `categories.json.php` endpoint to authenticated users only or implement network-level controls to limit access.

  • Apply the patch from commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 which corrects the user group filtering logic.
  • Ensure that the backend enforces user group membership checks consistently for all category retrieval functions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34364. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart