CVE-2026-43881 Overview
CVE-2026-43881 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. Versions up to and including 29.0 expose two unauthenticated paths in objects/users.json.php that disclose registered user accounts. The vulnerability stems from a missing authentication check [CWE-306] that allows any network attacker to enumerate the platform's complete user base. Disclosed fields include id, identification (display name), channel URL, photo, background, status, and the total account count. The maintainers addressed the issue in commit d9cdc702481a626b15f814f6093f1e2a9c20d375.
Critical Impact
Unauthenticated remote attackers can enumerate every registered account on an AVideo instance, producing reconnaissance data suitable for follow-on credential attacks and targeted phishing.
Affected Products
- WWBN AVideo versions up to and including 29.0
- objects/users.json.php endpoint handler
- User::getAllUsers() and User::getUserFromID() methods
Discovery Timeline
- 2026-05-11 - CVE-2026-43881 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43881
Vulnerability Analysis
The vulnerability resides in objects/users.json.php, which handles requests for user account data. The handler exposes two separate code paths that both bypass the platform's admin-only access control. Either path returns user metadata along with the total account count, giving attackers a complete view of the platform's user population.
Because the endpoint accepts unauthenticated requests, attackers do not need valid credentials, session tokens, or any prior foothold. A single HTTP request is sufficient to retrieve account data, and an attacker can iterate the users_id parameter to enumerate accounts individually. The CWE-306 classification reflects the missing authentication on a critical function.
Root Cause
The isCompany request parameter sets $ignoreAdmin = true for any caller, including unauthenticated visitors. This flag defeats the admin-only guard inside User::getAllUsers() and User::getTotalUsers(), causing both methods to return data that should be restricted to administrators. The handler trusts a client-supplied parameter to override its own authorization logic.
Attack Vector
The second path accepts a users_id parameter and calls User::getUserFromID() directly without any permission check. This produces a single-user oracle: attackers query specific user IDs sequentially to enumerate accounts and harvest display names, profile photos, and channel URLs. Both paths are reachable over the network from any unauthenticated source with HTTP access to the AVideo instance.
No proof-of-concept exploit code is published in the referenced advisories. See the GitHub Security Advisory GHSA-6rvw-7p8v-mjfq for the maintainer's technical writeup.
Detection Methods for CVE-2026-43881
Indicators of Compromise
- HTTP requests to objects/users.json.php containing the isCompany parameter from unauthenticated sources
- Sequential or scripted requests to objects/users.json.php with incrementing users_id values indicating enumeration
- Unusual volumes of GET requests to users.json.php from a single client IP within a short interval
Detection Strategies
- Inspect web server access logs for any request to users.json.php that lacks an authenticated session cookie
- Alert on response payloads from users.json.php that include the identification, photo, and channelURL fields returned to unauthenticated clients
- Correlate enumeration patterns with subsequent login attempts against the same usernames to identify staged attacks
Monitoring Recommendations
- Enable verbose request logging on the AVideo web tier and forward logs to a centralized analytics platform
- Apply rate limiting and anomaly thresholds on objects/users.json.php to surface bulk enumeration
- Track external scanning activity targeting AVideo deployments by signature-matching the vulnerable URL pattern
How to Mitigate CVE-2026-43881
Immediate Actions Required
- Upgrade AVideo to a release that includes commit d9cdc702481a626b15f814f6093f1e2a9c20d375 or later
- Audit existing web server logs for prior unauthenticated requests to objects/users.json.php and assess exposure
- Notify users whose account metadata may have been harvested so they can watch for targeted phishing
Patch Information
The maintainers fixed the vulnerability in commit d9cdc702481a626b15f814f6093f1e2a9c20d375. The patch restores the admin-only guard in User::getAllUsers() and User::getTotalUsers() and adds permission checks before calling User::getUserFromID(). Review the GitHub commit details and the GitHub Security Advisory GHSA-6rvw-7p8v-mjfq before deploying.
Workarounds
- Block external access to objects/users.json.php at the reverse proxy or web application firewall until the patch is applied
- Require authentication at the web server layer for any request path matching users.json.php containing the isCompany or users_id parameters
- Restrict administrative endpoints to trusted source IP ranges where operationally feasible
# Example NGINX rule to block unauthenticated access to the vulnerable endpoint
location = /objects/users.json.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
