CVE-2026-41060 Overview
WWBN AVideo is an open source video platform that contains a Server-Side Request Forgery (SSRF) vulnerability in versions 29.0 and below. The isSSRFSafeURL() function in objects/functions.php contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration of internal service data.
Critical Impact
Authenticated attackers can bypass SSRF protections to access internal services on arbitrary ports, with response data saved to web-accessible paths enabling complete data exfiltration.
Affected Products
- WWBN AVideo version 29.0 and below
- AVideo installations using the vulnerable isSSRFSafeURL() function in objects/functions.php
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41060 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41060
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in the SSRF protection mechanism implemented in AVideo's isSSRFSafeURL() function. The function was designed to prevent SSRF attacks by validating URLs before making server-side requests. However, the implementation contains a critical logic flaw in its same-domain bypass logic.
When a URL is submitted, the function checks if the hostname matches the configured webSiteRootURL. If the hostnames match, the function immediately returns true, allowing the request without further validation. The fundamental issue is that this check only validates the hostname component while completely ignoring the port number.
This oversight allows authenticated attackers to craft malicious URLs using the legitimate site hostname but targeting arbitrary ports (e.g., http://legitimate-site.com:6379/ to access a Redis instance). Since the response body is saved to a web-accessible path, attackers can retrieve sensitive data from internal services that would normally be unreachable from the internet.
Root Cause
The root cause is an incomplete same-origin validation in the isSSRFSafeURL() function. The original code only compared hostnames using parse_url($global['webSiteRootURL'], PHP_URL_HOST) and parse_url($url, PHP_URL_HOST), without also comparing port numbers. This violates the same-origin policy principle where origin is defined by protocol, hostname, AND port. The missing port validation creates a bypass condition that effectively nullifies the SSRF protection for same-host requests.
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker with a valid user account on the AVideo platform can exploit this vulnerability by:
- Identifying the target AVideo instance's public hostname
- Crafting a URL with the same hostname but a different port targeting an internal service
- Submitting this URL through functionality that invokes isSSRFSafeURL()
- Retrieving the response from the web-accessible path where it was saved
$host = strtolower($host);
- // Allow loopback/private IPs if the URL points to the same domain as webSiteRootURL
+ // Allow requests to the same origin as webSiteRootURL (hostname + port must both match).
+ // Checking hostname only is insufficient: an attacker can reach arbitrary internal ports
+ // on the same host by using the site's public hostname with a non-standard port.
if (!empty($global['webSiteRootURL'])) {
- $siteHost = strtolower(parse_url($global['webSiteRootURL'], PHP_URL_HOST));
- if ($host === $siteHost) {
- _error_log("isSSRFSafeURL: allowing same-domain request to {$host} (matches webSiteRootURL)");
+ $siteHost = strtolower(parse_url($global['webSiteRootURL'], PHP_URL_HOST));
+ $siteScheme = strtolower(parse_url($global['webSiteRootURL'], PHP_URL_SCHEME) ?: 'http');
+ $sitePort = (int)(parse_url($global['webSiteRootURL'], PHP_URL_PORT) ?: ($siteScheme === 'https' ? 443 : 80));
+
+ $urlScheme = strtolower(parse_url($url, PHP_URL_SCHEME) ?: 'http');
+ $urlPort = (int)(parse_url($url, PHP_URL_PORT) ?: ($urlScheme === 'https' ? 443 : 80));
+
+ if ($host === $siteHost && $urlPort === $sitePort) {
+ _error_log("isSSRFSafeURL: allowing same-origin request to {$host}:{$urlPort} (matches webSiteRootURL)");
return true;
}
}
Source: GitHub Commit a0156a6
Detection Methods for CVE-2026-41060
Indicators of Compromise
- HTTP requests from the AVideo server to localhost or the server's own hostname on non-standard ports (e.g., 6379, 27017, 9200, 11211)
- Log entries in AVideo showing isSSRFSafeURL: allowing same-domain request messages with unusual port numbers
- Unexpected files appearing in web-accessible directories containing data from internal services
- Network connections from the web server process to internal services that should not be accessed by the application
Detection Strategies
- Monitor web server logs for URL submissions containing the site's hostname with non-standard ports in URL parameters
- Implement network segmentation monitoring to detect connections from the AVideo server to internal service ports
- Review PHP error logs for isSSRFSafeURL log entries with port numbers that differ from the standard HTTP/HTTPS ports
- Deploy file integrity monitoring on web-accessible directories to detect unauthorized file creation
Monitoring Recommendations
- Configure alerts for outbound connections from the AVideo application to sensitive internal ports (database ports, cache servers, etc.)
- Implement log analysis rules to flag any URL processing involving the server's own hostname with non-standard ports
- Monitor authentication logs for accounts making repeated requests that trigger SSRF validation logic
- Enable verbose logging for the isSSRFSafeURL() function to capture all URL validation attempts
How to Mitigate CVE-2026-41060
Immediate Actions Required
- Upgrade WWBN AVideo to a version containing commit a0156a6398362086390d949190f9d52a823000ba or later
- Review web-accessible directories for any suspicious files that may have been created through exploitation
- Audit user activity logs for potential exploitation attempts targeting internal services
- Consider implementing network-level restrictions to prevent the web server from accessing internal service ports
Patch Information
The vulnerability is fixed in commit a0156a6398362086390d949190f9d52a823000ba. The patch modifies the isSSRFSafeURL() function in objects/functions.php to enforce proper same-origin validation by comparing both hostname AND port. The fix extracts the port from both the configured webSiteRootURL and the submitted URL, defaulting to standard ports (80 for HTTP, 443 for HTTPS) when not explicitly specified. For more details, see the GitHub Security Advisory and the patch commit.
Workarounds
- Implement firewall rules to restrict outbound connections from the AVideo server to only necessary external services
- Use a web application firewall (WAF) to block requests containing the server's hostname with non-standard ports
- Disable or restrict functionality that allows users to submit arbitrary URLs for server-side processing
- Deploy network segmentation to isolate internal services from the web application tier
# Example iptables rules to restrict outbound connections from web server
# Block connections to common internal service ports
iptables -A OUTPUT -p tcp -m owner --uid-owner www-data --dport 6379 -j DROP # Redis
iptables -A OUTPUT -p tcp -m owner --uid-owner www-data --dport 27017 -j DROP # MongoDB
iptables -A OUTPUT -p tcp -m owner --uid-owner www-data --dport 9200 -j DROP # Elasticsearch
iptables -A OUTPUT -p tcp -m owner --uid-owner www-data --dport 11211 -j DROP # Memcached
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
