Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35449

CVE-2026-35449: WWBN AVideo Information Disclosure Flaw

CVE-2026-35449 is an information disclosure vulnerability in WWBN AVideo that exposes viewer statistics, IP addresses, and session IDs to unauthorized users. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35449 Overview

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.

This information disclosure vulnerability allows remote attackers to access sensitive diagnostic data without authentication, potentially compromising user privacy and enabling further attacks through exposed session identifiers.

Critical Impact

Unauthenticated remote attackers can access sensitive viewer statistics including IP addresses, session IDs, and user agents through the exposed diagnostic script, potentially enabling session hijacking or targeted attacks.

Affected Products

  • WWBN AVideo version 26.0 and prior

Discovery Timeline

  • 2026-04-06 - CVE CVE-2026-35449 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-35449

Vulnerability Analysis

This vulnerability stems from a misconfiguration in the install/test.php diagnostic script within the WWBN AVideo platform. The script was designed to be accessible only via command-line interface (CLI) for administrative diagnostics. However, the die() statement that enforces this restriction has been commented out in the source code, effectively bypassing the CLI-only access control.

As a result, the diagnostic script remains accessible via HTTP requests after the initial installation process completes. When accessed through a web browser or automated HTTP request, the script returns detailed video viewer statistics that should remain confidential.

Root Cause

The root cause is improper access control (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). The developer-intended CLI-only restriction was inadvertently disabled by commenting out the die() statement that would terminate execution for non-CLI requests. This represents a failure to properly restrict access to a sensitive diagnostic endpoint, leaving it exposed to unauthenticated users on the network.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by simply navigating to or sending an HTTP request to the install/test.php endpoint on any vulnerable AVideo installation. The exploitation process involves:

  1. Identifying an AVideo installation (versions 26.0 or earlier)
  2. Sending an HTTP GET request to /install/test.php
  3. Receiving sensitive viewer statistics in the response, including IP addresses, session IDs, and user agent strings

The vulnerability is accessible from the network without any privileges or special conditions required. The exposed session IDs could potentially be leveraged for session hijacking attacks against legitimate users.

Detection Methods for CVE-2026-35449

Indicators of Compromise

  • Unusual HTTP requests targeting /install/test.php from external IP addresses
  • Web server access logs showing repeated access to the diagnostic script endpoint
  • Unauthorized access patterns to installation directory files post-deployment

Detection Strategies

  • Monitor web server access logs for requests to /install/test.php or other files within the /install/ directory
  • Implement web application firewall (WAF) rules to alert on or block access to diagnostic endpoints
  • Conduct periodic security audits to verify installation scripts are removed or properly secured after deployment

Monitoring Recommendations

  • Configure real-time alerting for any HTTP requests targeting the /install/ directory path
  • Review web server logs regularly for enumeration attempts against administrative or diagnostic endpoints
  • Deploy intrusion detection systems (IDS) to identify reconnaissance activity against video platform installations

How to Mitigate CVE-2026-35449

Immediate Actions Required

  • Remove or restrict access to the /install/ directory after completing AVideo installation
  • Implement web server rules (Apache .htaccess or Nginx configuration) to deny HTTP access to the install/test.php script
  • Review web server access logs to determine if the endpoint has been accessed by unauthorized parties

Patch Information

Users should monitor the GitHub Security Advisory for official patch releases from the WWBN AVideo project. Until an official patch is available, administrators should implement the workarounds listed below to mitigate the risk of information disclosure.

Workarounds

  • Delete the install/test.php file from production AVideo installations
  • Block HTTP access to the entire /install/ directory using web server configuration directives
  • Implement network-level access controls to restrict access to the AVideo administration interface to trusted IP addresses only
bash
# Apache .htaccess configuration to block access to install directory
<Directory "/var/www/avideo/install">
    Order deny,allow
    Deny from all
</Directory>

# Nginx configuration to block access to install directory
location /install/ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.