CVE-2026-34738
Received Received - Intake
Authorization Bypass in WWBN AVideo Allows Unauthorized Video Publishing

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in WWBN AVideo versions 26.0 and prior, where the video processing pipeline accepts an overrideStatus request parameter. This parameter allows any uploader to set a video's status to any valid state, including "active". This means that users with upload permissions can bypass the admin-controlled moderation and draft workflows.

The setStatus() method checks if the status code is valid but does not verify whether the user has permission to set that status. As a result, any uploader can publish videos directly without content review.

At the time of publication, no public patches are available to fix this issue.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps should focus on restricting upload permissions to trusted users only.

Additionally, monitoring and auditing uploader activities to detect unauthorized status changes can help mitigate the risk.

Consider implementing additional access controls or manual review processes outside the application to ensure content moderation.

Impact Analysis

This vulnerability allows any user with upload permissions to publish videos directly, bypassing the intended moderation and content review processes.

This could lead to the publication of inappropriate, harmful, or non-compliant content without administrative oversight.

It undermines the integrity of the content management workflow and could damage the platform's reputation or lead to legal or regulatory issues.

Compliance Impact

This vulnerability allows any user with upload permissions to bypass admin-controlled moderation and publish videos directly without content review. Such unauthorized publishing could lead to the dissemination of unapproved or sensitive content.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to circumvent content review processes may increase the risk of non-compliance with regulations that require strict control over data publication and content management.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart