CVE-2026-30885 Overview
WWBN AVideo is an open source video platform that contains an information disclosure vulnerability in versions prior to 25.0. The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization, allowing unauthenticated attackers to enumerate user IDs and retrieve sensitive playlist information.
Critical Impact
An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform without authentication.
Affected Products
- WWBN AVideo versions prior to 25.0
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30885 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30885
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The affected endpoint /objects/playlistsFromUser.json.php fails to implement any authentication or authorization checks before returning user playlist data. This design flaw allows any unauthenticated remote attacker to query the endpoint and retrieve sensitive information about any user's playlists on the platform.
The vulnerability enables attackers to perform user ID enumeration and gather intelligence about the platform's users and their content organization. Retrieved information includes playlist names, associated video IDs, and playlist visibility status, which could be leveraged for further targeted attacks or reconnaissance activities.
Root Cause
The root cause of this vulnerability is missing authentication for a critical function (CWE-306). The playlistsFromUser.json.php endpoint was implemented without proper access control checks, allowing the API to return sensitive user data regardless of the requester's authentication status. The endpoint accepts user ID parameters and returns corresponding playlist data without verifying that the requesting party has permission to access that information.
Attack Vector
The vulnerability is exploitable over the network without requiring any authentication or user interaction. An attacker can directly access the vulnerable endpoint by crafting HTTP requests to /objects/playlistsFromUser.json.php with arbitrary user IDs. By iterating through user ID values, an attacker can systematically enumerate all users on the platform and extract their playlist information.
The attack can be performed through simple HTTP GET requests, making it trivial to automate and scale. The exposed information could be used for social engineering, targeted content theft, or identifying high-value accounts for further exploitation.
Detection Methods for CVE-2026-30885
Indicators of Compromise
- Unusual volume of requests to /objects/playlistsFromUser.json.php endpoint from unauthenticated sessions
- Sequential or enumerated user ID values in request parameters suggesting automated scanning
- Requests to the vulnerable endpoint from suspicious IP addresses or known threat actor infrastructure
Detection Strategies
- Monitor web server access logs for high-frequency requests to /objects/playlistsFromUser.json.php
- Implement rate limiting detection rules to identify enumeration attempts against the vulnerable endpoint
- Configure web application firewall (WAF) rules to alert on suspicious access patterns to user data endpoints
Monitoring Recommendations
- Enable detailed logging for API endpoints that handle user data to capture potential exploitation attempts
- Set up alerts for anomalous traffic patterns targeting user enumeration endpoints
- Review access logs for the vulnerable endpoint to identify any historical exploitation prior to patching
How to Mitigate CVE-2026-30885
Immediate Actions Required
- Upgrade WWBN AVideo to version 25.0 or later immediately
- Review access logs for signs of prior exploitation of the vulnerable endpoint
- Implement network-level access controls to restrict access to the API endpoint until patching is complete
Patch Information
The vulnerability is fixed in WWBN AVideo version 25.0. The patch adds proper authentication and authorization checks to the /objects/playlistsFromUser.json.php endpoint. Organizations should upgrade to version 25.0 or later as soon as possible.
For detailed patch information, see the GitHub Commit Update and the GitHub Security Advisory GHSA-6w2r-cfpc-23r5.
Workarounds
- Implement web application firewall (WAF) rules to block unauthenticated access to /objects/playlistsFromUser.json.php
- Restrict access to the vulnerable endpoint at the web server configuration level using authentication requirements
- Consider temporarily disabling the endpoint if the functionality is not critical until the patch can be applied
# Example Apache configuration to restrict access to vulnerable endpoint
<Location "/objects/playlistsFromUser.json.php">
Require valid-user
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
