CVE-2026-35449 Overview
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
This information disclosure vulnerability allows remote attackers to access sensitive diagnostic data without authentication, potentially compromising user privacy and enabling further attacks through exposed session identifiers.
Critical Impact
Unauthenticated remote attackers can access sensitive viewer statistics including IP addresses, session IDs, and user agents through the exposed diagnostic script, potentially enabling session hijacking or targeted attacks.
Affected Products
- WWBN AVideo version 26.0 and prior
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35449 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35449
Vulnerability Analysis
This vulnerability stems from a misconfiguration in the install/test.php diagnostic script within the WWBN AVideo platform. The script was designed to be accessible only via command-line interface (CLI) for administrative diagnostics. However, the die() statement that enforces this restriction has been commented out in the source code, effectively bypassing the CLI-only access control.
As a result, the diagnostic script remains accessible via HTTP requests after the initial installation process completes. When accessed through a web browser or automated HTTP request, the script returns detailed video viewer statistics that should remain confidential.
Root Cause
The root cause is improper access control (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). The developer-intended CLI-only restriction was inadvertently disabled by commenting out the die() statement that would terminate execution for non-CLI requests. This represents a failure to properly restrict access to a sensitive diagnostic endpoint, leaving it exposed to unauthenticated users on the network.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by simply navigating to or sending an HTTP request to the install/test.php endpoint on any vulnerable AVideo installation. The exploitation process involves:
- Identifying an AVideo installation (versions 26.0 or earlier)
- Sending an HTTP GET request to /install/test.php
- Receiving sensitive viewer statistics in the response, including IP addresses, session IDs, and user agent strings
The vulnerability is accessible from the network without any privileges or special conditions required. The exposed session IDs could potentially be leveraged for session hijacking attacks against legitimate users.
Detection Methods for CVE-2026-35449
Indicators of Compromise
- Unusual HTTP requests targeting /install/test.php from external IP addresses
- Web server access logs showing repeated access to the diagnostic script endpoint
- Unauthorized access patterns to installation directory files post-deployment
Detection Strategies
- Monitor web server access logs for requests to /install/test.php or other files within the /install/ directory
- Implement web application firewall (WAF) rules to alert on or block access to diagnostic endpoints
- Conduct periodic security audits to verify installation scripts are removed or properly secured after deployment
Monitoring Recommendations
- Configure real-time alerting for any HTTP requests targeting the /install/ directory path
- Review web server logs regularly for enumeration attempts against administrative or diagnostic endpoints
- Deploy intrusion detection systems (IDS) to identify reconnaissance activity against video platform installations
How to Mitigate CVE-2026-35449
Immediate Actions Required
- Remove or restrict access to the /install/ directory after completing AVideo installation
- Implement web server rules (Apache .htaccess or Nginx configuration) to deny HTTP access to the install/test.php script
- Review web server access logs to determine if the endpoint has been accessed by unauthorized parties
Patch Information
Users should monitor the GitHub Security Advisory for official patch releases from the WWBN AVideo project. Until an official patch is available, administrators should implement the workarounds listed below to mitigate the risk of information disclosure.
Workarounds
- Delete the install/test.php file from production AVideo installations
- Block HTTP access to the entire /install/ directory using web server configuration directives
- Implement network-level access controls to restrict access to the AVideo administration interface to trusted IP addresses only
# Apache .htaccess configuration to block access to install directory
<Directory "/var/www/avideo/install">
Order deny,allow
Deny from all
</Directory>
# Nginx configuration to block access to install directory
location /install/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
