CVE-2026-40928 Overview
CVE-2026-40928 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WWBN AVideo open source video platform. The flaw exists in multiple JSON endpoints under the objects/ directory that accept state-changing requests via $_REQUEST/$_GET and persist changes tied to the caller's session user without implementing any anti-CSRF token, origin check, or referer validation.
A malicious page visited by a logged-in victim can silently perform unauthorized actions including casting or flipping likes/dislikes on comments via objects/comments_like.json.php, posting comments authored by the victim with attacker-chosen text via objects/commentAddNew.json.php, and deleting assets from categories via objects/categoryDeleteAssets.json.php when the victim has category management rights.
Critical Impact
Attackers can perform unauthorized actions on behalf of authenticated users, including manipulating comments, posting content, and deleting category assets through simple HTML-based attacks requiring only victim page visits.
Affected Products
- WWBN AVideo versions 29.0 and prior
- All AVideo installations with accessible objects/ JSON endpoints
- Deployments where users have category management permissions
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40928 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40928
Vulnerability Analysis
This Cross-Site Request Forgery vulnerability stems from the complete absence of request validation mechanisms in multiple AVideo JSON endpoints. The affected endpoints process state-changing operations directly from user requests without verifying the request origin or validating anti-CSRF tokens.
The vulnerable endpoints include:
- objects/comments_like.json.php - Handles like/dislike operations on comments
- objects/commentAddNew.json.php - Processes new comment submissions
- objects/categoryDeleteAssets.json.php - Manages asset deletion within categories
Each endpoint accepts parameters via PHP's $_REQUEST or $_GET superglobals, which automatically associates the authenticated user's session with any incoming request. This design flaw allows cross-origin requests from attacker-controlled pages to execute privileged operations.
Root Cause
The root cause is the lack of anti-CSRF protections in the affected JSON endpoints. The application fails to implement any of the standard CSRF defense mechanisms including synchronizer tokens, SameSite cookie attributes, origin header validation, or referer checking. This allows any external website to craft requests that execute with the privileges of authenticated AVideo users.
Attack Vector
Exploitation requires a logged-in AVideo user to visit an attacker-controlled web page. The attack can be executed through various HTML elements that trigger cross-origin requests:
- Simple <img src="..."> tags pointing to vulnerable endpoints
- Auto-submitting HTML forms with hidden fields
- JavaScript-based fetch or XMLHttpRequest calls
Since the endpoints respond to GET requests and use session cookies for authentication, browsers automatically include the victim's credentials when loading attacker-crafted resources. The attack is entirely silent from the victim's perspective, requiring no interaction beyond loading the malicious page.
// Security patch in objects/categoryDeleteAssets.json.php
// Source: https://github.com/WWBN/AVideo/commit/7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c
$obj->msg = __("Permission denied");
die(json_encode($obj));
}
-
+forbidIfIsUntrustedRequest('categoryDeleteAssets');
if (!Category::deleteAssets($obj->id)) {
$obj->error = false;
}else{
The patch introduces the forbidIfIsUntrustedRequest() function call that validates requests before processing sensitive operations.
// Security patch in objects/commentAddNew.json.php
// Source: https://github.com/WWBN/AVideo/commit/7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c
$obj->msg = __("Permission denied");
die(json_encode($obj));
}
+forbidIfIsUntrustedRequest('commentAddNew');
function isCommentASpam($comment, $videos_id)
{
Detection Methods for CVE-2026-40928
Indicators of Compromise
- Unexpected comment activity on videos from authenticated user accounts
- Unusual like/dislike patterns on comments that users deny initiating
- Category asset deletions without corresponding administrator actions
- HTTP access logs showing requests to objects/*.json.php endpoints with external referer headers
Detection Strategies
- Monitor web server logs for requests to vulnerable endpoints with referer headers from external domains
- Implement anomaly detection for rapid successive requests to comment and like endpoints from single users
- Review authentication logs for sessions making requests during times users report not being active
- Deploy web application firewall rules to flag cross-origin requests to sensitive JSON endpoints
Monitoring Recommendations
- Enable detailed logging for all objects/ directory endpoints including full request headers
- Configure alerts for requests to state-changing endpoints originating from non-application domains
- Implement user activity dashboards allowing users to review recent account actions
- Monitor for patterns of simultaneous requests across multiple user sessions from similar source IPs
How to Mitigate CVE-2026-40928
Immediate Actions Required
- Update AVideo to a version containing commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c or later
- Review recent comment, like, and category modification activity for suspicious patterns
- Notify users with category management permissions about potential unauthorized actions
- Consider temporarily restricting access to the vulnerable endpoints if immediate patching is not possible
Patch Information
The vulnerability is addressed in commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c. The fix introduces request validation through the forbidIfIsUntrustedRequest() function across the affected endpoints. This function validates that requests originate from trusted sources before processing state-changing operations.
For detailed patch information, refer to the GitHub Security Advisory and the commit containing the fix.
Workarounds
- Implement a web application firewall rule to block requests to objects/*.json.php endpoints with external or missing referer headers
- Configure the application behind a reverse proxy that validates the Origin header on all POST and state-changing GET requests
- Restrict network access to the AVideo administrative interface to trusted IP ranges
- Educate users about the risks of visiting untrusted websites while logged into AVideo
# Example Apache configuration to block external referers to vulnerable endpoints
# Add to .htaccess or Apache configuration
<Directory "/var/www/avideo/objects">
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://your-avideo-domain\.com [NC]
RewriteRule \.(json\.php)$ - [F,L]
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
