CVE-2026-40907
IDOR in WWBN AVideo Live Restream Endpoint Exposes Tokens
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive user data, including third-party platform stream keys and OAuth tokens, which are considered personal and confidential information.
Exposure of such credentials can lead to unauthorized broadcasting and persistent access to users' third-party accounts, representing a significant breach of confidentiality.
Such unauthorized disclosure of sensitive information can violate data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to prevent unauthorized access and ensure user privacy.
Therefore, this vulnerability negatively impacts compliance by exposing sensitive user credentials without proper authorization, potentially leading to regulatory penalties and loss of user trust.
Can you explain this vulnerability to me?
CVE-2026-40907 is an Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform, specifically in the endpoint `plugin/Live/view/Live_restreams/list.json.php`.
This vulnerability allows any authenticated user with streaming permission to access live restream configurations of other users by manipulating the `users_id` parameter in the request.
Because the authorization logic only overrides the `users_id` parameter if it is empty, a non-admin user can explicitly supply another user's ID to retrieve that user's sensitive data.
The exposed data includes third-party platform stream keys (RTMP keys) and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch.
This happens due to a missing ownership check in the code, allowing unauthorized access to other users' live restream configurations.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Credential Theft: Attackers can steal RTMP stream keys and OAuth tokens from other users.
- Unauthorized Broadcasting: Using stolen RTMP keys, attackers can broadcast arbitrary content on victims' YouTube, Facebook, or Twitch channels.
- OAuth Token Abuse: Stolen refresh tokens allow attackers to obtain new access tokens, maintaining persistent unauthorized access to victims' third-party streaming accounts.
- Full Enumeration: Since user IDs are sequential, attackers can enumerate all users to harvest all restream credentials on the platform.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the live restream configurations of other users via the vulnerable endpoint while authenticated as a non-admin user with streaming permissions.
A practical detection method is to use a command like curl to send a request to the endpoint `plugin/Live/view/Live_restreams/list.json.php` with a `users_id` parameter set to another user's ID. If the response returns live restream data for that user, including sensitive fields such as stream keys and OAuth tokens, the system is vulnerable.
- Example curl command to test the vulnerability: `curl -s -b 'PHPSESSID=<attacker_session>' 'https://target.com/plugin/Live/view/Live_restreams/list.json.php?users_id=<victim_id>'`
Replace `<attacker_session>` with a valid session cookie for an authenticated user with streaming permission and `<victim_id>` with the user ID of another user. Receiving the victim's restream configuration indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch that enforces strict ownership checks on the `users_id` parameter in the vulnerable endpoint.
Specifically, modify the authorization logic in `plugin/Live/view/Live_restreams/list.json.php` so that non-admin users cannot specify arbitrary user IDs. Instead, the code should unconditionally set the `users_id` parameter to the current user's ID regardless of whether the parameter is present or empty.
This change prevents non-admin users from accessing other users' live restream configurations and protects sensitive credentials such as stream keys and OAuth tokens.
If you are using the official AVideo platform, apply the fix from commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 which implements this authorization enforcement.