CVE-2026-35179
Unauthenticated Proxy Access in WWBN AVideo SocialMediaPublisher Plugin
Publication date: 2026-04-06
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated users to proxy arbitrary calls to the Facebook/Instagram Graph API using the AVideo server, potentially enabling unauthorized modification of Instagram content associated with the platform.
This unauthorized access and modification capability could lead to integrity violations of data and content managed by the platform.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for unauthorized users to manipulate content and potentially abuse access tokens may raise concerns about data integrity and access controls, which are important aspects of many regulatory frameworks.
Therefore, without proper authorization controls, this vulnerability could negatively impact compliance with regulations that require strict access control and data integrity safeguards.
Can you explain this vulnerability to me?
CVE-2026-35179 is a vulnerability in the SocialMediaPublisher plugin of the WWBN AVideo platform (version 26.0 and prior). The plugin exposes an endpoint called publishInstagram.json.php that acts as an unauthenticated proxy to the Facebook/Instagram Graph API.
This endpoint accepts user-controlled parameters such as access tokens, container IDs, and Instagram account IDs, and forwards them directly to the Graph API without any authentication or authorization checks.
Because of this, any unauthenticated user can make arbitrary Graph API calls through the server, potentially abusing the platform's credentials or using stolen tokens to interact with Instagram accounts linked to the platform.
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform unauthorized actions on Instagram accounts linked to the AVideo platform by proxying Graph API calls through the server.
- An attacker can publish, modify, or delete content on the Instagram account.
- Attackers can bypass IP-based restrictions or rate limits on the Graph API since the calls originate from the trusted server IP.
- If an attacker obtains a valid access token (possibly from another vulnerability), they can abuse this endpoint to control Instagram content without authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthenticated access to the endpoint publishInstagram.json.php in the SocialMediaPublisher plugin of WWBN AVideo (versions 26.0 and prior). An attacker can send requests with user-controlled parameters such as accessToken, containerId, and instagramAccountId to this endpoint.
To detect exploitation attempts or probe for this vulnerability on your system, you can monitor HTTP requests to the publishInstagram.json.php endpoint that do not require authentication.
Example command using curl to test if the endpoint is accessible without authentication:
- curl -v "http://your-avideo-server/path/to/publishInstagram.json.php?accessToken=TEST&containerId=TEST&instagramAccountId=TEST"
If the response returns Graph API error messages without requiring login or admin privileges, it indicates the vulnerability is present.
Additionally, you can use network monitoring tools or web server logs to identify unauthenticated requests to this endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to restrict access to the publishInstagram.json.php endpoint by adding an admin authorization check at the start of the script.
Specifically, implement a check similar to the following in publishInstagram.json.php:
- if (!User::isAdmin()) { die(json_encode(['error' => 'Not authorized'])); }
This change ensures that only authenticated admin users can access the endpoint, preventing unauthenticated users from abusing it as a proxy to the Facebook/Instagram Graph API.
Additionally, review and apply any official patches or updates provided by WWBN for this vulnerability.