CVE-2026-41057 Overview
WWBN AVideo, an open source video platform, contains an incomplete CORS origin validation vulnerability in versions 29.0 and below. The CORS origin validation fix introduced in commit 986e64aad is incomplete, leaving two separate code paths that still reflect arbitrary Origin headers with credentials allowed for all /api/* endpoints. This vulnerability enables attackers to make cross-origin credentialed requests to any API endpoint and read authenticated responses containing sensitive user data.
Critical Impact
An attacker can exploit this CORS misconfiguration to exfiltrate user PII, email addresses, admin status, and session-sensitive data through cross-origin credentialed requests from malicious websites.
Affected Products
- WWBN AVideo versions 29.0 and below
- AVideo API endpoints (/api/*)
- plugin/API/router.php and related API handlers (get.json.php, set.json.php)
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41057 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41057
Vulnerability Analysis
This vulnerability stems from an incomplete security fix (CWE-346: Origin Validation Error) that was intended to address CORS origin validation issues. Two distinct code paths bypass the intended security controls:
Router-level reflection: In plugin/API/router.php (lines 4-8), the code unconditionally reflects any Origin header before application code runs, allowing arbitrary origins to be accepted.
API handler reflection: The allowOrigin(true) function called by get.json.php and set.json.php reflects any origin with Access-Control-Allow-Credentials: true, enabling credentialed cross-origin requests.
When exploited, an attacker hosting a malicious website can make authenticated requests to AVideo API endpoints on behalf of logged-in users, reading sensitive responses that include personal information and administrative data.
Root Cause
The root cause is an incomplete CORS origin validation fix that failed to address all code paths where the Access-Control-Allow-Origin header is set. The original patch in commit 986e64aad did not account for the early CORS header reflection in the API router or the permissive allowOrigin(true) function calls in the JSON API handlers. This allowed arbitrary origins to be reflected with credentials enabled, bypassing same-origin policy protections.
Attack Vector
The attack requires network access and user interaction. An attacker must lure an authenticated AVideo user to a malicious website. The malicious site can then make cross-origin XMLHttpRequest or Fetch API calls with credentials to the victim's AVideo instance. Because the server reflects the attacker's origin with Access-Control-Allow-Credentials: true, the browser includes session cookies, and the attacker's JavaScript can read the API responses containing user data.
<?php
// CORS preflight handling.
// OPTIONS preflights are cross-origin by definition (same-origin requests are never
// preflighted by browsers). Returning Access-Control-Allow-Origin: * without
// Access-Control-Allow-Credentials is safe:
// - External API clients using APISecret (non-credentialed) proceed normally.
// - Credentialed attacker requests are blocked: the browser sees no
// Allow-Credentials:true in the preflight and aborts the actual request,
// so session cookies are never sent.
// Actual GET/POST responses are handled by allowOrigin(true) in get/set.json.php
// which enforces same-origin-only credentials (fixed in commit 986e64aad).
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, ua-resolution, APISecret, Origin, Accept, Access-Control-Request-Method, Access-Control-Request-Headers');
Source: GitHub Commit - Security Patch
Detection Methods for CVE-2026-41057
Indicators of Compromise
- Unusual cross-origin requests to /api/* endpoints from external referrers in web server logs
- Multiple API requests from the same authenticated session but originating from different domains
- Suspicious Origin headers in access logs that don't match legitimate application domains
- Data exfiltration patterns showing bulk API response data being accessed from untrusted origins
Detection Strategies
- Monitor web application firewall (WAF) logs for requests with Origin headers from untrusted or unknown domains targeting API endpoints
- Implement logging for all CORS-related headers and analyze patterns of cross-origin requests to sensitive API routes
- Review access logs for authenticated API calls where the Referer or Origin header doesn't match expected application domains
- Deploy behavioral analytics to detect anomalous API access patterns from authenticated sessions
Monitoring Recommendations
- Enable detailed access logging for all /api/* endpoints including Origin, Referer, and credential-related headers
- Set up alerts for API responses containing sensitive data (PII, admin status) being served to non-whitelisted origins
- Monitor for reconnaissance activity targeting CORS configurations such as OPTIONS preflight probes from suspicious sources
- Implement real-time correlation of API access with user session locations to detect potential credential theft scenarios
How to Mitigate CVE-2026-41057
Immediate Actions Required
- Upgrade WWBN AVideo to a version containing commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 or later
- Review and restrict the list of allowed CORS origins to only trusted domains that require cross-origin API access
- Implement additional authentication controls such as CSRF tokens for sensitive API operations
- Conduct a security audit of all API endpoints to identify any additional CORS-related misconfigurations
Patch Information
The vulnerability is addressed in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13. This patch refactors the CORS preflight handling to improve security by ensuring that Access-Control-Allow-Origin: * is returned for OPTIONS preflight requests without Access-Control-Allow-Credentials, preventing credentialed cross-origin requests from being successful. For detailed patch information, refer to the GitHub Security Advisory and the commit containing the fix.
Workarounds
- Configure a reverse proxy or WAF to enforce strict CORS origin validation, allowing only explicitly whitelisted domains
- Disable cross-origin credentialed requests at the web server level by removing or overriding Access-Control-Allow-Credentials: true headers
- Implement network-level restrictions to limit API access to trusted IP ranges or require VPN access for administrative functions
- Deploy Content Security Policy (CSP) headers to restrict which domains can embed or interact with the AVideo application
# Nginx configuration to restrict CORS origins
# Add to your server block for AVideo
location /api/ {
# Only allow specific trusted origins
set $cors_origin "";
if ($http_origin ~* "^https://(trusted-domain\.com|app\.example\.org)$") {
set $cors_origin $http_origin;
}
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
# Handle preflight without credentials
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Max-Age' 86400;
return 204;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
