CVE-2026-40907
Received Received - Intake
IDOR in WWBN AVideo Live Restream Endpoint Exposes Tokens

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40907
EUVD
EUVD-2026-24284
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized access to sensitive user data, including third-party platform stream keys and OAuth tokens, which are considered personal and confidential information.

Exposure of such credentials can lead to unauthorized broadcasting and persistent access to users' third-party accounts, representing a significant breach of confidentiality.

Such unauthorized disclosure of sensitive information can violate data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to prevent unauthorized access and ensure user privacy.

Therefore, this vulnerability negatively impacts compliance by exposing sensitive user credentials without proper authorization, potentially leading to regulatory penalties and loss of user trust.

Executive Summary

CVE-2026-40907 is an Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform, specifically in the endpoint `plugin/Live/view/Live_restreams/list.json.php`.

This vulnerability allows any authenticated user with streaming permission to access live restream configurations of other users by manipulating the `users_id` parameter in the request.

Because the authorization logic only overrides the `users_id` parameter if it is empty, a non-admin user can explicitly supply another user's ID to retrieve that user's sensitive data.

The exposed data includes third-party platform stream keys (RTMP keys) and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch.

This happens due to a missing ownership check in the code, allowing unauthorized access to other users' live restream configurations.

Impact Analysis

This vulnerability can have several serious impacts:

  • Credential Theft: Attackers can steal RTMP stream keys and OAuth tokens from other users.
  • Unauthorized Broadcasting: Using stolen RTMP keys, attackers can broadcast arbitrary content on victims' YouTube, Facebook, or Twitch channels.
  • OAuth Token Abuse: Stolen refresh tokens allow attackers to obtain new access tokens, maintaining persistent unauthorized access to victims' third-party streaming accounts.
  • Full Enumeration: Since user IDs are sequential, attackers can enumerate all users to harvest all restream credentials on the platform.
Detection Guidance

This vulnerability can be detected by attempting to access the live restream configurations of other users via the vulnerable endpoint while authenticated as a non-admin user with streaming permissions.

A practical detection method is to use a command like curl to send a request to the endpoint `plugin/Live/view/Live_restreams/list.json.php` with a `users_id` parameter set to another user's ID. If the response returns live restream data for that user, including sensitive fields such as stream keys and OAuth tokens, the system is vulnerable.

  • Example curl command to test the vulnerability: `curl -s -b 'PHPSESSID=<attacker_session>' 'https://target.com/plugin/Live/view/Live_restreams/list.json.php?users_id=<victim_id>'`

Replace `<attacker_session>` with a valid session cookie for an authenticated user with streaming permission and `<victim_id>` with the user ID of another user. Receiving the victim's restream configuration indicates the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to apply the patch that enforces strict ownership checks on the `users_id` parameter in the vulnerable endpoint.

Specifically, modify the authorization logic in `plugin/Live/view/Live_restreams/list.json.php` so that non-admin users cannot specify arbitrary user IDs. Instead, the code should unconditionally set the `users_id` parameter to the current user's ID regardless of whether the parameter is present or empty.

This change prevents non-admin users from accessing other users' live restream configurations and protects sensitive credentials such as stream keys and OAuth tokens.

If you are using the official AVideo platform, apply the fix from commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 which implements this authorization enforcement.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart