Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39368

CVE-2026-39368: WWBN AVideo SSRF Vulnerability

CVE-2026-39368 is a stored server-side request forgery flaw in WWBN AVideo that allows authenticated streamers to trigger unauthorized internal requests. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-39368 Overview

CVE-2026-39368 is a Server-Side Request Forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepts an attacker-controlled restreamerURL and later fetches that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allows a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

Critical Impact

Authenticated attackers with streaming permissions can exploit this stored SSRF vulnerability to access internal services and sensitive resources that should not be externally accessible, potentially leading to exposure of confidential information from internal network infrastructure.

Affected Products

  • WWBN AVideo version 26.0 and prior

Discovery Timeline

  • 2026-04-07 - CVE-2026-39368 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-39368

Vulnerability Analysis

This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The flaw exists in the Live restream log callback functionality of WWBN AVideo. The application fails to properly validate or sanitize the restreamerURL parameter before storing and subsequently using it to make server-side HTTP requests.

The stored nature of this SSRF makes it particularly concerning, as the malicious URL persists in the application and can be triggered multiple times. When the restream log feature processes the stored callback URL, it initiates an HTTP request from the server itself, effectively bypassing network-level access controls that protect internal services.

Root Cause

The root cause of this vulnerability is insufficient input validation on the restreamerURL parameter within the Live restream log callback flow. The application accepts and stores user-controlled URLs without verifying that they point to legitimate external streaming services. When these URLs are later fetched server-side, the application blindly makes HTTP requests to whatever destination was specified, including internal network addresses and localhost services.

Attack Vector

The attack vector is network-based and requires authentication with streaming permissions. An attacker with a valid low-privilege account that has streaming capabilities can exploit this vulnerability through the following mechanism:

  1. The attacker authenticates to the AVideo platform with an account that has streaming permissions
  2. When configuring a restream, the attacker supplies a malicious restreamerURL pointing to an internal service (e.g., http://127.0.0.1:8080/admin or http://internal-service.local/sensitive-endpoint)
  3. The application stores this URL in its database without adequate validation
  4. When the restream log callback is triggered, the server makes an HTTP request to the attacker-specified internal URL
  5. The response from the internal service may be reflected back to the attacker or logged, enabling information disclosure

This stored SSRF vulnerability can be used to probe internal network topology, access metadata services in cloud environments, interact with internal APIs, or exfiltrate data from services accessible only from the server's network position.

Detection Methods for CVE-2026-39368

Indicators of Compromise

  • Unusual outbound HTTP requests from the AVideo server to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Restream configuration entries containing localhost or private IP addresses in the restreamerURL field
  • Server-side requests to cloud metadata endpoints (e.g., 169.254.169.254)
  • Anomalous network traffic patterns from the web application server to internal services

Detection Strategies

  • Implement network monitoring to detect HTTP requests from the AVideo server to internal or reserved IP address ranges
  • Review application logs for restream configurations containing suspicious URLs pointing to internal resources
  • Deploy web application firewalls (WAF) with SSRF detection rules to identify and block malicious callback URLs
  • Monitor for DNS resolution requests to internal hostnames originating from the AVideo application server

Monitoring Recommendations

  • Enable detailed logging for all restream configuration changes and callback URL submissions
  • Set up alerts for any server-side requests to non-whitelisted domains or internal IP addresses
  • Implement egress filtering and monitor for violations or blocked connection attempts
  • Regularly audit stored restream configurations for suspicious or malformed URLs

How to Mitigate CVE-2026-39368

Immediate Actions Required

  • Upgrade WWBN AVideo to a patched version when available
  • Implement network-level egress filtering to prevent the server from making requests to internal IP ranges
  • Review and audit existing restream configurations for any suspicious callback URLs
  • Consider temporarily disabling the restream log callback feature if it is not essential to operations

Patch Information

For detailed information about available patches and security updates, refer to the GitHub Security Advisory GHSA-q4x6-6mm2-crg9. Organizations running WWBN AVideo version 26.0 or prior should monitor this advisory for patch release information and upgrade as soon as a fixed version becomes available.

Workarounds

  • Implement a URL allowlist for valid restreaming services and reject any restreamerURL values that do not match approved domains
  • Configure firewall rules to block outbound connections from the AVideo server to internal network ranges and sensitive cloud metadata endpoints
  • Restrict streaming permissions to only trusted users who have a legitimate need for restreaming functionality
  • Deploy a reverse proxy that inspects and filters outbound requests from the application before they reach the network
bash
# Example iptables rules to block SSRF attempts to internal networks
# Block requests to localhost
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j DROP
# Block requests to private networks
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
# Block cloud metadata endpoint
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne