CVE-2026-39368
Received Received - Intake
Stored SSRF in WWBN AVideo Live Restream Log Callback

Publication date: 2026-04-07

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39368
EUVD
EUVD-2026-19881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39368 is a stored Server-Side Request Forgery (SSRF) vulnerability in WWBN AVideo versions 26.0 and prior. It occurs in the Live restream log callback flow, where an attacker-controlled URL (restreamerURL) is accepted and stored by the server without proper validation.

Later, the server fetches this stored URL server-side, allowing an authenticated user with streaming permission (a low-privilege user) to trigger HTTP requests from the server to internal or loopback services. This means the attacker can make the server send requests to internal network services that are normally inaccessible externally.

The vulnerability arises because the server accepts a response token without strictly limiting the callback destination to trusted endpoints, enabling abuse of the restream log feature to perform SSRF.

Impact Analysis

This vulnerability allows an authenticated streamer with low privileges to abuse the server to send HTTP requests to internal or loopback services that are normally protected from external access.

  • The server can act as a proxy to access sensitive internal-only services such as admin panels, internal APIs, or cloud metadata services.
  • This can lead to unauthorized disclosure of confidential information stored on internal services.
  • Since the attacker only needs streaming permission and no user interaction, the attack complexity is low.
Detection Guidance

This vulnerability can be detected by observing the server-side requests triggered by authenticated streamers with streaming permission. Specifically, monitoring calls to the endpoints involved in the vulnerable flow can help identify exploitation attempts.

  • Check for requests to the endpoint `plugin/Live/view/getRestream.json.php` that include unusual or unexpected callback URLs.
  • Monitor POST requests to `plugin/Live/view/Live_restreams_logs/add.json.php` where attacker-controlled `restreamerURL` values might be stored.
  • Look for exchanges of tokens via `plugin/Live/view/Live_restreams/verifyTokenForAction.json.php` that could be used to validate malicious callback URLs.

Suggested commands to detect suspicious activity might include using curl or similar tools to simulate or inspect these requests, for example:

  • curl -X GET 'https://your-avideo-instance/plugin/Live/view/getRestream.json.php?parameters' -H 'Authorization: Bearer <token>'
  • curl -X POST 'https://your-avideo-instance/plugin/Live/view/Live_restreams_logs/add.json.php' -d 'restreamerURL=http://127.0.0.1:9999/index.php' -H 'Authorization: Bearer <token>'

Additionally, network monitoring tools can be used to detect unexpected outbound HTTP requests from the server to internal or loopback addresses, which may indicate exploitation of the SSRF vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing strict validation and restrictions on the `restreamerURL` to prevent attacker-controlled URLs from being stored or used.

  • Validate the `restreamerURL` against a whitelist of explicitly configured, trusted restreamer endpoints at the time of storage.
  • Re-validate the stored callback URL before each server-side fetch to ensure it remains within trusted boundaries.
  • Bind the `responseToken` to the expected restream row and callback host to prevent token misuse.
  • Apply SSRF validation to all initial server-side fetch destinations, not just redirect targets.
  • Reject or ignore user-supplied callback hosts that do not match trusted configurations.

Since no patched versions are available at the time of the advisory, these validation and filtering measures are critical to reduce the risk of exploitation.

Compliance Impact

The vulnerability allows an authenticated low-privilege user to cause the server to make HTTP requests to internal or loopback services, potentially exposing sensitive internal-only services such as admin panels, internal APIs, or cloud metadata services.

This unauthorized disclosure of confidential information could lead to violations of data protection regulations and standards that require safeguarding sensitive data, such as GDPR and HIPAA.

Therefore, the SSRF vulnerability may negatively impact compliance by increasing the risk of unauthorized access to sensitive internal data, which these regulations mandate to protect.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart