CVE-2026-45620
Analyzed Analyzed - Analysis Complete
Unauthenticated User Enumeration in WWBN AVideo

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45620
EUVD
EUVD-2026-33307
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45620 is a vulnerability in the WWBN AVideo open source video platform. Specifically, in version 29.0 and earlier, the file objects/mention.json.php lacks proper authentication and authorization checks. It does not call User::loginCheck() nor does it have an admin gate, relying only on a weak entry guard that checks if the request term starts with '@' and limits results to 10 entries.

This flaw allows unauthenticated attackers to enumerate users remotely by accessing sensitive user information such as name, email, username, and channel name without logging in or having proper permissions.

The vulnerability is classified under CWE-204 (Observable Response Discrepancy) and CWE-285 (Improper Authorization), indicating that it exposes internal state information and allows improper resource access.

Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate user accounts on your AVideo platform without authentication. Attackers can obtain sensitive user details such as names, emails, usernames, and channel names.

Such unauthorized access to user information can lead to privacy breaches, targeted phishing attacks, social engineering, and potentially further exploitation if combined with other vulnerabilities.

The CVSS score of 5.3 indicates a moderate severity, reflecting the risk of information disclosure without requiring user interaction or privileges.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoint without authentication and observing if user information is returned.

Specifically, sending a request to the `objects/mention.json.php` file with a parameter `term` starting with '@' can reveal user data such as name, email, username, and channel name.

A simple command to test this could be using curl:

  • curl -G 'http://your-avideo-instance/objects/mention.json.php' --data-urlencode 'term=@example'

If the response contains user information without requiring authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper authentication and authorization checks.

Specifically, ensure that the `objects/mention.json.php` file calls `User::loginCheck()` and enforces an admin gate or equivalent access control.

Until an official patch is available, consider restricting access to this endpoint via web server configuration or firewall rules to prevent unauthenticated requests.

Monitoring and logging access to this endpoint can also help detect exploitation attempts.

Compliance Impact

This vulnerability allows unauthenticated user enumeration, exposing sensitive user data such as name, email, username, and channel name without proper authentication or authorization.

Such unauthorized exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personally identifiable information and sensitive health information.

By enabling attackers to access user information without authentication, the vulnerability increases the risk of data breaches and unauthorized data disclosure, potentially violating these regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45620. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart