CVE-2026-35450 Overview
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. This represents a missing authentication vulnerability (CWE-306) that allows unauthenticated attackers to obtain sensitive server configuration information. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin(), making this an inconsistent access control implementation.
Critical Impact
Unauthenticated access to FFmpeg server configuration information could allow attackers to map internal infrastructure, identify connected media processing servers, and gather intelligence for subsequent attacks.
Affected Products
- WWBN AVideo version 26.0 and prior
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35450 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35450
Vulnerability Analysis
This vulnerability stems from missing authentication controls on the check.ffmpeg.json.php API endpoint within the WWBN AVideo platform. The endpoint is designed to probe and report the connectivity status of configured FFmpeg remote servers, which is part of the platform's media encoding and processing infrastructure.
The security flaw lies in the inconsistent implementation of access controls across related FFmpeg management endpoints. While similar endpoints such as kill.ffmpeg.json.php, list.ffmpeg.json.php, and ffmpeg.php all enforce administrative authentication via User::isAdmin() checks, the check.ffmpeg.json.php endpoint lacks this protection entirely. This allows any unauthenticated remote attacker to query the endpoint and receive information about the FFmpeg server configuration and connectivity status.
The network-accessible nature of this vulnerability means attackers can probe the endpoint without any prior authentication, making reconnaissance trivial. While the direct impact is limited to information disclosure, the exposed configuration data could reveal internal network topology, server addresses, and operational status of media processing infrastructure.
Root Cause
The root cause is a missing authentication check (CWE-306) in the plugin/API/check.ffmpeg.json.php endpoint. During development, the User::isAdmin() authentication guard was applied to other FFmpeg management endpoints but was inadvertently omitted from this specific endpoint. This inconsistent security implementation creates an unauthenticated information disclosure vector.
Attack Vector
An attacker can exploit this vulnerability by sending an unauthenticated HTTP request to the vulnerable endpoint at plugin/API/check.ffmpeg.json.php. The endpoint responds with FFmpeg server connectivity status and configuration details without requiring any authentication credentials.
The vulnerability is accessible via direct network requests to the AVideo web application. An attacker would simply craft an HTTP GET request to the vulnerable endpoint, and the server would return the FFmpeg configuration probe results. This information could be used to understand the target's infrastructure, identify internal servers, or plan subsequent attacks against the media processing components.
For technical details about the vulnerability mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35450
Indicators of Compromise
- Unusual access patterns to /plugin/API/check.ffmpeg.json.php from external IP addresses
- High volume of requests to FFmpeg-related API endpoints without corresponding authenticated sessions
- Web server logs showing unauthenticated access attempts to the vulnerable endpoint
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on access to check.ffmpeg.json.php without authentication
- Configure intrusion detection systems to flag reconnaissance-style sequential requests to FFmpeg API endpoints
- Review web server access logs for requests to the vulnerable endpoint path from untrusted sources
Monitoring Recommendations
- Enable detailed logging for all API endpoint access within the AVideo platform
- Set up alerts for any unauthenticated requests to administrative or configuration-related endpoints
- Monitor network traffic for enumeration patterns targeting the plugin/API directory structure
How to Mitigate CVE-2026-35450
Immediate Actions Required
- Restrict access to the check.ffmpeg.json.php endpoint at the web server level using access control rules
- Implement IP-based restrictions to limit access to the AVideo administrative API endpoints
- Review and audit all API endpoints for consistent authentication enforcement
Patch Information
Review the GitHub Security Advisory for official patch information and recommended upgrade paths. Ensure that the authentication check User::isAdmin() is applied consistently to all FFmpeg management endpoints including check.ffmpeg.json.php.
Workarounds
- Block access to the vulnerable endpoint using web server configuration (e.g., Apache .htaccess or Nginx location blocks)
- Implement network-level firewall rules to restrict access to the AVideo API directory from untrusted networks
- Add authentication middleware at the web server or reverse proxy level for all API endpoints
# Nginx configuration to block unauthenticated access to vulnerable endpoint
location /plugin/API/check.ffmpeg.json.php {
deny all;
return 403;
}
# Apache .htaccess rule to restrict access
<Files "check.ffmpeg.json.php">
Require all denied
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
