CVE-2026-41055
Received Received - Intake
DNS Rebinding SSRF in WWBN AVideo LiveLinks Proxy

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-41055 is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to bypass protections and send requests to internal services or cloud metadata endpoints. This can lead to unauthorized access to sensitive internal resources or information disclosure.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal data and protected health information. If exploited, this vulnerability could lead to breaches of confidentiality and data protection requirements mandated by these regulations.

Therefore, until fully remediated, this vulnerability poses a risk to maintaining compliance with data protection and privacy standards by potentially allowing attackers to access internal data that should be protected.

Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions 29.0 and below. It involves an incomplete Server-Side Request Forgery (SSRF) fix in the LiveLinks proxy component. Although a validation function called isSSRFSafeURL() was added to prevent SSRF attacks, a Time-Of-Check to Time-Of-Use (TOCTOU) issue remains. This means that between the validation of a URL and the actual HTTP request, DNS rebinding can occur, allowing an attacker to redirect traffic to internal endpoints that should not be accessible.

Impact Analysis

This vulnerability can allow an attacker to bypass security controls and access internal network endpoints by exploiting the DNS TOCTOU flaw. This could lead to unauthorized access to internal services or sensitive information that is not intended to be exposed externally. Since the CVSS base score is 8.6 with high confidentiality impact, it indicates a serious risk of data exposure without requiring user interaction or privileges.

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized internal network requests originating from the AVideo LiveLinks proxy endpoint. Since the vulnerability exploits DNS rebinding and TOCTOU race conditions, network logs should be inspected for requests to internal IP ranges such as 10.x.x.x, 172.16.x.x–172.31.x.x, 192.168.x.x, 127.x.x.x, and link-local 169.254.x.x that originate from the server running AVideo.

Specific commands to detect exploitation attempts are not provided in the resources. However, general network monitoring commands could include:

  • Using tcpdump or tshark to capture outgoing HTTP requests from the server to internal IP ranges: tcpdump -i eth0 dst net 10.0.0.0/8 or tcpdump -i eth0 dst net 192.168.0.0/16
  • Checking web server or application logs for requests to the LiveLinks proxy endpoint that include suspicious URLs or repeated requests that might indicate SSRF attempts.
  • Using curl or similar tools to manually test the LiveLinks proxy endpoint with crafted URLs to see if internal IPs can be accessed.

No explicit detection commands or scripts are detailed in the provided resources.

Mitigation Strategies

Immediate mitigation steps include updating the AVideo software to a version that contains the fix introduced in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 or later. This fix enhances SSRF protection by implementing DNS pinning and eliminating the TOCTOU race condition.

  • Apply the patch that modifies the `isSSRFSafeURL()` function to resolve hostnames once and use the resolved IP for validation and subsequent requests.
  • Use the new `proxyDNSPinnedFetch()` function which performs HTTP requests with DNS pinning via cURL's `CURLOPT_RESOLVE` option, preventing DNS rebinding.
  • Block or strictly validate redirect URLs by re-validating each redirect target and its resolved IP before following redirects.
  • Avoid using PHP's `get_headers()` function for SSRF-sensitive requests as it performs separate DNS resolutions and can cause side effects.

If immediate patching is not possible, consider restricting network access from the AVideo server to internal IP ranges at the firewall level to prevent SSRF exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart