CVE-2026-34738
Authorization Bypass in WWBN AVideo Allows Unauthorized Video Publishing
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in WWBN AVideo versions 26.0 and prior, where the video processing pipeline accepts an overrideStatus request parameter. This parameter allows any uploader to set a video's status to any valid state, including "active". This means that users with upload permissions can bypass the admin-controlled moderation and draft workflows.
The setStatus() method checks if the status code is valid but does not verify whether the user has permission to set that status. As a result, any uploader can publish videos directly without content review.
At the time of publication, no public patches are available to fix this issue.
What immediate steps should I take to mitigate this vulnerability?
Since there are no publicly available patches at the time of publication, immediate mitigation steps should focus on restricting upload permissions to trusted users only.
Additionally, monitoring and auditing uploader activities to detect unauthorized status changes can help mitigate the risk.
Consider implementing additional access controls or manual review processes outside the application to ensure content moderation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any user with upload permissions to bypass admin-controlled moderation and publish videos directly without content review. Such unauthorized publishing could lead to the dissemination of unapproved or sensitive content.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to circumvent content review processes may increase the risk of non-compliance with regulations that require strict control over data publication and content management.
How can this vulnerability impact me? :
This vulnerability allows any user with upload permissions to publish videos directly, bypassing the intended moderation and content review processes.
This could lead to the publication of inappropriate, harmful, or non-compliant content without administrative oversight.
It undermines the integrity of the content management workflow and could damage the platform's reputation or lead to legal or regulatory issues.