Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34613

CVE-2026-34613: Wwbn Avideo CSRF Vulnerability

CVE-2026-34613 is a CSRF flaw in Wwbn Avideo that allows attackers to disable security plugins by exploiting missing token validation. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-34613 Overview

CVE-2026-34613 is a Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo, an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins by luring an admin to a malicious page.

Critical Impact

Attackers can disable critical security plugins such as LoginControl for 2FA, subscription enforcement, or access control plugins by exploiting this CSRF vulnerability, potentially undermining the entire security posture of affected AVideo installations.

Affected Products

  • WWBN AVideo versions 26.0 and prior
  • All installations using the objects/pluginSwitch.json.php endpoint
  • Deployments with security plugins like LoginControl for 2FA

Discovery Timeline

  • 2026-03-31 - CVE-2026-34613 published to NVD
  • 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-34613

Vulnerability Analysis

This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The core issue lies in the plugin management endpoint's failure to implement proper CSRF protections. When an authenticated administrator visits a malicious webpage, the attacker can craft requests that toggle plugin states without the administrator's knowledge or consent.

The attack is particularly dangerous because multiple security mechanisms have been bypassed or are ineffective. The explicit inclusion of the plugins table in ignoreTableSecurityCheck() prevents the application's ORM from enforcing Referer/Origin validation that would normally provide some protection against cross-origin requests. Furthermore, the session cookies are configured with SameSite=None, allowing them to be sent with cross-origin requests, which is a prerequisite for this CSRF attack to succeed.

Root Cause

The root cause is the absence of CSRF token validation in the objects/pluginSwitch.json.php endpoint combined with the deliberate bypassing of ORM-level security checks for the plugins table. The code explicitly lists the plugins database table in the ignoreTableSecurityCheck() function, which disables the Referer/Origin domain validation that the ObjectYPT::save() method would otherwise perform. This design decision, coupled with SameSite=None cookie configuration, creates an exploitable attack surface.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker must craft a malicious webpage containing hidden requests to the vulnerable endpoint. When an authenticated AVideo administrator visits this malicious page, the browser automatically includes the admin's session cookies due to the SameSite=None setting.

The attacker can then:

  1. Send requests to objects/pluginSwitch.json.php to disable security-critical plugins
  2. Target plugins responsible for two-factor authentication (LoginControl)
  3. Disable subscription enforcement or access control mechanisms
  4. Potentially gain elevated access once security plugins are disabled

The vulnerability requires no privileges from the attacker but does require the victim to have an active administrative session.

Detection Methods for CVE-2026-34613

Indicators of Compromise

  • Unexpected changes to plugin enabled/disabled states in the AVideo admin panel
  • Web server logs showing requests to objects/pluginSwitch.json.php with Referer headers from external domains
  • Security plugins (such as LoginControl) found disabled without administrator action
  • Unusual cross-origin requests targeting the plugin management endpoint

Detection Strategies

  • Monitor access logs for requests to objects/pluginSwitch.json.php that originate from external Referer headers
  • Implement alerting for any plugin state changes, requiring verification through a secondary channel
  • Review web application firewall (WAF) logs for suspicious patterns involving the plugin switch endpoint
  • Deploy endpoint monitoring to detect unauthorized changes to security-critical plugin configurations

Monitoring Recommendations

  • Enable detailed logging for the objects/pluginSwitch.json.php endpoint to capture all toggle requests
  • Configure alerts for plugin state changes, especially for security-related plugins like LoginControl
  • Monitor for administrators accessing unknown or suspicious external URLs prior to plugin changes
  • Implement integrity monitoring for the plugins database table to detect unauthorized modifications

How to Mitigate CVE-2026-34613

Immediate Actions Required

  • Review current plugin states and re-enable any security plugins that may have been disabled
  • Educate administrators about the risks of clicking unknown links while logged into AVideo
  • Consider restricting admin panel access to specific IP addresses or VPN connections
  • Implement additional network-level protections such as a Web Application Firewall (WAF) with CSRF protection rules

Patch Information

At time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on official patches.

Workarounds

  • Modify session cookie settings to use SameSite=Strict or SameSite=Lax at the web server or application level to prevent cross-origin cookie transmission
  • Implement a reverse proxy or WAF rule to validate Referer/Origin headers for requests to objects/pluginSwitch.json.php
  • Use browser isolation or separate browser profiles for AVideo administrative tasks
  • Consider network segmentation to limit access to the admin panel from trusted networks only
bash
# Example Apache configuration to restrict access to the vulnerable endpoint
<Location "/objects/pluginSwitch.json.php">
    # Deny requests with external Referer headers
    SetEnvIf Referer "^$" local_ref
    SetEnvIf Referer "^https?://your-avideo-domain\.com" local_ref
    
    <RequireAll>
        Require env local_ref
    </RequireAll>
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.