CVE-2026-34395 Overview
A broken access control vulnerability exists in WWBN AVideo, an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but fails to verify User::isAdmin(), allowing any registered user to dump the full user database. This vulnerability enables unauthorized access to sensitive user data including personal information and financial wallet balances.
Critical Impact
Any authenticated user can extract the entire user database including personal information and wallet balances, leading to significant privacy violations and potential financial data exposure.
Affected Products
- WWBN AVideo versions 26.0 and prior
- AVideo YPTWallet plugin
Discovery Timeline
- 2026-03-31 - CVE-2026-34395 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34395
Vulnerability Analysis
This vulnerability is classified as CWE-862: Missing Authorization. The affected endpoint plugin/YPTWallet/view/users.json.php implements only a basic authentication check via User::isLogged() to verify that a user is logged into the platform. However, this check is insufficient because the endpoint exposes sensitive administrative data that should be restricted to privileged users only.
The fundamental flaw is the absence of a proper authorization check. While authentication confirms identity (is this user who they claim to be?), authorization determines access rights (is this user permitted to access this resource?). The missing User::isAdmin() check means any registered user—regardless of their role or privilege level—can access data intended only for administrators.
Root Cause
The root cause is a missing authorization check in the YPTWallet plugin's user data endpoint. The developer implemented authentication (User::isLogged()) but neglected to implement authorization (User::isAdmin()). This is a common security anti-pattern where developers conflate authentication with authorization, assuming that any authenticated user should have access to all authenticated endpoints.
The vulnerable code path allows the request to proceed and return the complete user database simply because the requester has a valid session, without verifying administrative privileges.
Attack Vector
An attacker exploiting this vulnerability would need to first register an account on the target AVideo platform. Once authenticated, they can directly access the vulnerable endpoint plugin/YPTWallet/view/users.json.php via a simple GET request. The server responds with a JSON object containing all platform users' personal information and wallet balances.
The attack requires network access and a low-privilege authenticated account. No user interaction is required from victims, and the attacker can exfiltrate the entire user database in a single request. The data exposed may include usernames, email addresses, personal details, and wallet balance information that could be leveraged for further attacks such as targeted phishing, account takeover attempts, or financial fraud.
Detection Methods for CVE-2026-34395
Indicators of Compromise
- Unusual access patterns to plugin/YPTWallet/view/users.json.php from non-admin accounts
- High-volume requests to the wallet users endpoint from a single user session
- Access logs showing the vulnerable endpoint being accessed by users who have never used wallet admin features
- Large JSON response sizes from the users.json.php endpoint indicating full database dumps
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on access to plugin/YPTWallet/view/users.json.php by non-admin users
- Configure access logging to track all requests to YPTWallet plugin endpoints with associated user privilege levels
- Set up anomaly detection for unusual data exfiltration patterns from authenticated sessions
- Review authentication and authorization logs for access to administrative endpoints
Monitoring Recommendations
- Enable verbose logging on the AVideo platform to capture all API endpoint access
- Monitor network traffic for large JSON responses from the vulnerable endpoint
- Establish baseline access patterns for the YPTWallet plugin and alert on deviations
- Regularly audit user account activity for signs of reconnaissance or data harvesting
How to Mitigate CVE-2026-34395
Immediate Actions Required
- Restrict access to plugin/YPTWallet/view/users.json.php at the web server level using authentication rules
- Implement network-level access controls to limit exposure of the AVideo administrative endpoints
- Consider disabling the YPTWallet plugin if it is not critical to operations until a patch is available
- Audit access logs to determine if the vulnerability has been exploited
Patch Information
At time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the WWBN AVideo GitHub Security Advisory for updates on official patches. Until a vendor patch is released, implementing workarounds is strongly recommended.
Workarounds
- Add server-level access restrictions (e.g., Apache/Nginx rules) to block non-admin access to the vulnerable endpoint
- Modify the vulnerable PHP file to add an explicit User::isAdmin() check before returning user data
- Implement IP-based access controls to restrict administrative endpoints to trusted networks
- Deploy a web application firewall rule to block requests to the vulnerable path from non-administrative sessions
# Nginx configuration to restrict access to the vulnerable endpoint
location ~ /plugin/YPTWallet/view/users\.json\.php {
# Deny all access by default - remove or modify once patch is available
deny all;
# Alternatively, restrict to admin IP addresses only
# allow 192.168.1.0/24;
# deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
