CVE-2026-40926 Overview
CVE-2026-40926 is a Cross-Site Request Forgery (CSRF) vulnerability affecting WWBN AVideo, an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check (Category::canCreateCategory() / User::isAdmin()) and perform state-changing actions against the database without calling isGlobalTokenValid() or forbidIfIsUntrustedRequest().
Peer endpoints in the same directory (pluginSwitch.json.php, pluginRunDatabaseScript.json.php) do enforce the CSRF token, so the missing checks are an omission rather than a design choice.
Critical Impact
An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's updateScript() method in the admin's session.
Affected Products
- WWBN AVideo versions 29.0 and prior
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40926 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40926
Vulnerability Analysis
The vulnerability stems from inconsistent CSRF protection implementation across admin-only JSON endpoints in the AVideo platform. While some endpoints properly validate requests using isGlobalTokenValid() or forbidIfIsUntrustedRequest() functions, three critical endpoints were left unprotected:
- objects/categoryAddNew.json.php - Allows category creation
- objects/categoryDelete.json.php - Allows category deletion
- objects/pluginRunUpdateScript.json.php - Allows plugin update script execution
These endpoints only verify that the requesting user has appropriate administrative privileges but fail to confirm that the request originated from a legitimate source within the application. This allows attackers to craft malicious web pages that submit forged requests on behalf of authenticated administrators who visit those pages.
Root Cause
The root cause is the inconsistent application of CSRF protection mechanisms across the AVideo codebase. The vulnerable endpoints implement role-based access control checks (Category::canCreateCategory() and User::isAdmin()) but omit the critical CSRF token validation that peer endpoints in the same directory implement. This indicates a development oversight rather than an intentional design decision, as similar endpoints do properly enforce CSRF protections.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must craft a malicious webpage containing hidden forms or JavaScript that target the vulnerable AVideo endpoints. When an authenticated administrator with an active session visits the attacker-controlled page, the malicious requests are automatically submitted to the AVideo server using the admin's credentials and session cookies. The server, lacking CSRF token validation, processes these requests as legitimate administrative actions.
The following code snippets show the security patch that adds the missing forbidIfIsUntrustedRequest() validation:
Patch for objects/categoryAddNew.json.php:
$obj->msg = __("Permission denied");
die(json_encode($obj));
}
+forbidIfIsUntrustedRequest('categoryAddNew');
$objCat = new Category(intval(@$_POST['id']));
$objCat->setName($_POST['name']);
Source: GitHub AVideo Commit
Patch for objects/categoryDelete.json.php:
if (!Category::canCreateCategory()) {
die('{"error":"' . __("Permission denied") . '"}');
}
+forbidIfIsUntrustedRequest('categoryDelete');
require_once 'category.php';
$obj = new Category($_POST['id']);
Source: GitHub AVideo Commit
Detection Methods for CVE-2026-40926
Indicators of Compromise
- Unexpected category creation, modification, or deletion in AVideo audit logs without corresponding admin activity
- Plugin update scripts executed at unusual times or without admin initiation
- HTTP POST requests to vulnerable endpoints (categoryAddNew.json.php, categoryDelete.json.php, pluginRunUpdateScript.json.php) with Referer headers pointing to external domains
Detection Strategies
- Monitor web server access logs for POST requests to the affected endpoints with external or missing Referer headers
- Implement web application firewall (WAF) rules to detect and block cross-origin POST requests to administrative JSON endpoints
- Review AVideo application logs for category management and plugin script execution activities that don't correlate with known admin sessions
Monitoring Recommendations
- Enable detailed logging for all administrative actions within AVideo, including category management and plugin operations
- Configure alerting for administrative endpoint access from unexpected IP addresses or user agents
- Implement real-time monitoring for changes to critical AVideo configurations and category structures
How to Mitigate CVE-2026-40926
Immediate Actions Required
- Upgrade AVideo to a version containing commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 or later
- Review recent category changes and plugin script executions for unauthorized modifications
- Consider restricting administrative access to trusted IP addresses until patching is complete
- Educate administrators about the risks of visiting untrusted websites while logged into AVideo
Patch Information
The vulnerability has been addressed in commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2. The fix adds forbidIfIsUntrustedRequest() validation calls to the three affected endpoints, bringing them in line with other administrative endpoints in the codebase.
For detailed patch information, refer to:
Workarounds
- Implement web application firewall rules to block POST requests to the affected endpoints from external referrers
- Restrict access to the AVideo admin panel using IP allowlisting or VPN requirements
- Instruct administrators to use dedicated browser profiles or private browsing sessions when accessing the AVideo admin interface
# Example nginx configuration to restrict admin endpoint access
location ~ ^/objects/(categoryAddNew|categoryDelete|pluginRunUpdateScript)\.json\.php$ {
# Allow only from trusted internal network
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Pass to PHP-FPM
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
