CVE-2026-39368 Overview
CVE-2026-39368 is a Server-Side Request Forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepts an attacker-controlled restreamerURL and later fetches that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allows a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
Critical Impact
Authenticated attackers with streaming permissions can exploit this stored SSRF vulnerability to access internal services and sensitive resources that should not be externally accessible, potentially leading to exposure of confidential information from internal network infrastructure.
Affected Products
- WWBN AVideo version 26.0 and prior
Discovery Timeline
- 2026-04-07 - CVE-2026-39368 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39368
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The flaw exists in the Live restream log callback functionality of WWBN AVideo. The application fails to properly validate or sanitize the restreamerURL parameter before storing and subsequently using it to make server-side HTTP requests.
The stored nature of this SSRF makes it particularly concerning, as the malicious URL persists in the application and can be triggered multiple times. When the restream log feature processes the stored callback URL, it initiates an HTTP request from the server itself, effectively bypassing network-level access controls that protect internal services.
Root Cause
The root cause of this vulnerability is insufficient input validation on the restreamerURL parameter within the Live restream log callback flow. The application accepts and stores user-controlled URLs without verifying that they point to legitimate external streaming services. When these URLs are later fetched server-side, the application blindly makes HTTP requests to whatever destination was specified, including internal network addresses and localhost services.
Attack Vector
The attack vector is network-based and requires authentication with streaming permissions. An attacker with a valid low-privilege account that has streaming capabilities can exploit this vulnerability through the following mechanism:
- The attacker authenticates to the AVideo platform with an account that has streaming permissions
- When configuring a restream, the attacker supplies a malicious restreamerURL pointing to an internal service (e.g., http://127.0.0.1:8080/admin or http://internal-service.local/sensitive-endpoint)
- The application stores this URL in its database without adequate validation
- When the restream log callback is triggered, the server makes an HTTP request to the attacker-specified internal URL
- The response from the internal service may be reflected back to the attacker or logged, enabling information disclosure
This stored SSRF vulnerability can be used to probe internal network topology, access metadata services in cloud environments, interact with internal APIs, or exfiltrate data from services accessible only from the server's network position.
Detection Methods for CVE-2026-39368
Indicators of Compromise
- Unusual outbound HTTP requests from the AVideo server to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Restream configuration entries containing localhost or private IP addresses in the restreamerURL field
- Server-side requests to cloud metadata endpoints (e.g., 169.254.169.254)
- Anomalous network traffic patterns from the web application server to internal services
Detection Strategies
- Implement network monitoring to detect HTTP requests from the AVideo server to internal or reserved IP address ranges
- Review application logs for restream configurations containing suspicious URLs pointing to internal resources
- Deploy web application firewalls (WAF) with SSRF detection rules to identify and block malicious callback URLs
- Monitor for DNS resolution requests to internal hostnames originating from the AVideo application server
Monitoring Recommendations
- Enable detailed logging for all restream configuration changes and callback URL submissions
- Set up alerts for any server-side requests to non-whitelisted domains or internal IP addresses
- Implement egress filtering and monitor for violations or blocked connection attempts
- Regularly audit stored restream configurations for suspicious or malformed URLs
How to Mitigate CVE-2026-39368
Immediate Actions Required
- Upgrade WWBN AVideo to a patched version when available
- Implement network-level egress filtering to prevent the server from making requests to internal IP ranges
- Review and audit existing restream configurations for any suspicious callback URLs
- Consider temporarily disabling the restream log callback feature if it is not essential to operations
Patch Information
For detailed information about available patches and security updates, refer to the GitHub Security Advisory GHSA-q4x6-6mm2-crg9. Organizations running WWBN AVideo version 26.0 or prior should monitor this advisory for patch release information and upgrade as soon as a fixed version becomes available.
Workarounds
- Implement a URL allowlist for valid restreaming services and reject any restreamerURL values that do not match approved domains
- Configure firewall rules to block outbound connections from the AVideo server to internal network ranges and sensitive cloud metadata endpoints
- Restrict streaming permissions to only trusted users who have a legitimate need for restreaming functionality
- Deploy a reverse proxy that inspects and filters outbound requests from the application before they reach the network
# Example iptables rules to block SSRF attempts to internal networks
# Block requests to localhost
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j DROP
# Block requests to private networks
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
# Block cloud metadata endpoint
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
