CVE-2026-34611 Overview
WWBN AVideo is an open source video platform that contains a Cross-Site Request Forgery (CSRF) vulnerability in the objects/emailAllUsers.json.php endpoint. This flaw allows attackers to abuse the administrative email functionality to send arbitrary HTML emails to all registered users on the platform. The vulnerability exists because the endpoint, while verifying admin session status, does not validate a CSRF token. Combined with AVideo's configuration of SameSite=None on session cookies, cross-origin POST requests from attacker-controlled pages automatically include the admin's session cookie.
Critical Impact
An attacker who successfully lures an administrator to a malicious webpage can send phishing emails or malicious content to every registered user on the AVideo platform, with emails appearing to originate from the instance's legitimate SMTP address.
Affected Products
- WWBN AVideo versions 26.0 and prior
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34611 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34611
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The core issue stems from improper state-changing operation protection in the AVideo administrative interface. When an administrator is authenticated, their session cookie is automatically attached to any request made to the AVideo domain, including requests initiated by third-party websites.
The objects/emailAllUsers.json.php endpoint allows administrators to send HTML emails to every registered user on the platform. While the application correctly verifies that the requester has administrative privileges via session validation, it fails to implement CSRF token validation. This oversight, combined with the SameSite=None cookie attribute, creates an exploitable condition.
Root Cause
The vulnerability originates from two compounding security misconfigurations:
Missing CSRF Token Validation: The emailAllUsers.json.php endpoint performs administrative session validation but does not require or validate a CSRF token for the state-changing email operation.
Insecure Cookie Configuration: AVideo sets SameSite=None on session cookies, which instructs browsers to include the cookie in cross-origin requests. This configuration is typically used for third-party contexts but significantly increases CSRF attack surface when combined with missing token validation.
Attack Vector
The attack requires social engineering to lure an authenticated administrator to an attacker-controlled webpage. Once the admin visits the malicious page, JavaScript or an auto-submitting form can make a cross-origin POST request to the vulnerable endpoint. Because SameSite=None is set on session cookies, the browser automatically includes the admin's authentication cookie with the request.
Upon successful exploitation, the attacker can craft and send arbitrary HTML emails to all platform users. These emails appear to originate from the AVideo instance's configured SMTP address, lending credibility to phishing campaigns or social engineering attacks. The attacker controls the email subject, body content, and can include malicious links or embedded content.
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34611
Indicators of Compromise
- Unexpected bulk email activity originating from the AVideo SMTP configuration
- Email server logs showing mass mailings to all registered users without corresponding admin portal activity
- Web server access logs showing POST requests to objects/emailAllUsers.json.php with suspicious Referer headers from external domains
- User reports of unexpected emails from the platform containing phishing links or suspicious content
Detection Strategies
- Monitor web server logs for requests to objects/emailAllUsers.json.php with external or missing Referer headers
- Implement alerting on bulk email operations that lack corresponding administrator session activity in the admin portal
- Review outbound email logs for unusual volume or content patterns that may indicate abuse
Monitoring Recommendations
- Configure SIEM rules to detect cross-origin requests to administrative endpoints
- Set up alerts for bulk email operations exceeding normal thresholds
- Monitor for administrator sessions accessing sensitive endpoints from unusual IP addresses or user agents
- Implement email sending rate limits and alerting at the SMTP gateway level
How to Mitigate CVE-2026-34611
Immediate Actions Required
- Restrict administrative access to trusted networks via firewall rules or VPN requirements
- Educate administrators about phishing risks and the importance of not clicking untrusted links while authenticated
- Consider temporarily disabling the bulk email functionality if not business-critical
- Monitor outbound email for signs of abuse
Patch Information
At the time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates and patch availability.
Workarounds
- Implement a web application firewall (WAF) rule to validate Referer headers on requests to administrative endpoints
- Modify session cookie configuration to use SameSite=Strict or SameSite=Lax if third-party cookie functionality is not required
- Restrict access to the objects/emailAllUsers.json.php endpoint via server configuration until a patch is available
- Use a separate browser or browser profile for AVideo administrative tasks to isolate session cookies
# Example Apache configuration to restrict access to vulnerable endpoint
<Location "/objects/emailAllUsers.json.php">
# Restrict to internal network only
Require ip 10.0.0.0/8 192.168.0.0/16
# Alternatively, disable the endpoint entirely
# Require all denied
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
