CVE-2026-45620
Unauthenticated User Enumeration in WWBN AVideo
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated user enumeration, exposing sensitive user data such as name, email, username, and channel name without proper authentication or authorization.
Such unauthorized exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personally identifiable information and sensitive health information.
By enabling attackers to access user information without authentication, the vulnerability increases the risk of data breaches and unauthorized data disclosure, potentially violating these regulatory requirements.
Can you explain this vulnerability to me?
CVE-2026-45620 is a vulnerability in the WWBN AVideo open source video platform. Specifically, in version 29.0 and earlier, the file objects/mention.json.php lacks proper authentication and authorization checks. It does not call User::loginCheck() nor does it have an admin gate, relying only on a weak entry guard that checks if the request term starts with '@' and limits results to 10 entries.
This flaw allows unauthenticated attackers to enumerate users remotely by accessing sensitive user information such as name, email, username, and channel name without logging in or having proper permissions.
The vulnerability is classified under CWE-204 (Observable Response Discrepancy) and CWE-285 (Improper Authorization), indicating that it exposes internal state information and allows improper resource access.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to enumerate user accounts on your AVideo platform without authentication. Attackers can obtain sensitive user details such as names, emails, usernames, and channel names.
Such unauthorized access to user information can lead to privacy breaches, targeted phishing attacks, social engineering, and potentially further exploitation if combined with other vulnerabilities.
The CVSS score of 5.3 indicates a moderate severity, reflecting the risk of information disclosure without requiring user interaction or privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable endpoint without authentication and observing if user information is returned.
Specifically, sending a request to the `objects/mention.json.php` file with a parameter `term` starting with '@' can reveal user data such as name, email, username, and channel name.
A simple command to test this could be using curl:
- curl -G 'http://your-avideo-instance/objects/mention.json.php' --data-urlencode 'term=@example'
If the response contains user information without requiring authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper authentication and authorization checks.
Specifically, ensure that the `objects/mention.json.php` file calls `User::loginCheck()` and enforces an admin gate or equivalent access control.
Until an official patch is available, consider restricting access to this endpoint via web server configuration or firewall rules to prevent unauthenticated requests.
Monitoring and logging access to this endpoint can also help detect exploitation attempts.