CVE-2026-43884: WWBN AVideo SSRF Vulnerability

CVE-2026-43884 Overview

CVE-2026-43884 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting WWBN AVideo, an open source video platform. The flaw exists in versions up to and including 29.0. Two endpoints, plugin/AI/receiveAsync.json.php and objects/EpgParser.php, validate user-supplied URLs with isSSRFSafeURL() but then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can host a server that returns an HTTP 302 redirect to internal or cloud-metadata endpoints, bypassing the initial validation. Commit 603e7bf77a835584387327e35560262feb075db3 contains the fix.

Critical Impact
Authenticated attackers can pivot AVideo servers into internal networks and read cloud instance metadata such as http://169.254.169.254/latest/meta-data/, exposing IAM credentials and internal services.

Affected Products

WWBN AVideo versions up to and including 29.0
plugin/AI/receiveAsync.json.php endpoint
objects/EpgParser.php endpoint

Discovery Timeline

2026-05-11 - CVE-2026-43884 published to NVD
2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43884

Vulnerability Analysis

The vulnerability stems from incomplete SSRF validation in AVideo's URL fetching logic. The application calls isSSRFSafeURL() to confirm a user-supplied URL does not point to internal address space. After validation passes, the code invokes file_get_contents() directly on the same URL string. PHP's HTTP stream wrapper follows redirects automatically by default, with follow_location enabled.

Because isSSRFSafeURL() only inspects the initial URL, an attacker-controlled host that returns a 302 response can redirect AVideo's fetch to any internal target. The redirect target is never re-validated. This allows requests to link-local cloud metadata services such as AWS at 169.254.169.254, internal HTTP services, or loopback ports.

Root Cause

The root cause is a time-of-check to time-of-use gap in URL handling. Validation occurs once, but file_get_contents() performs multiple HTTP transactions across redirects without re-applying the SSRF policy at each hop. The fix introduces a url_get_contents() helper that validates every redirect hop via isSSRFSafeURL() with follow_location=0.

Attack Vector

Exploitation requires low-privileged authenticated access to reach the vulnerable endpoints. The attacker submits a URL pointing to a server they control. That server responds with a 302 redirect to an internal resource. AVideo follows the redirect and returns or processes the internal response, leaking metadata, IAM tokens, or internal service data.

php

// Patch in objects/EpgParser.php
// Source: https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3

-        if (!isSSRFSafeURL($this->url)) {
-            throw new \RuntimeException('URL blocked by SSRF protection: ' . $this->url);
-        }
+        // url_get_contents() validates the URL and every redirect hop via isSSRFSafeURL()
+        // with follow_location=0, preventing redirect-based SSRF bypass.
+        $this->content = url_get_contents($this->url);

-        $this->content = @\file_get_contents($this->url);
+        if ($this->content === false) {
+            throw new \RuntimeException('URL blocked by SSRF protection or fetch failed: ' . $this->url);
+        }

-        if (!strpos($http_response_header[0], "200")) {
+        if (!isset($http_response_header[0]) || !strpos($http_response_header[0], "200")) {
             throw new \RuntimeException("Invalid response headers: " . $http_response_header[0], 1);
         }

php

// Patch in plugin/AI/receiveAsync.json.php
// Source: https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3

-                if (!isSSRFSafeURL($imageUrl)) {
-                    rateLimitedLog('AI-receiveAsync-image-ssrf-' . md5($imageUrl), 'AI: ' . basename(__FILE__) . ' line=' . __LINE__ . ' SSRF protection blocked URL: ' . $imageUrl);
+                // SSRF Protection: url_get_contents() validates the URL and all redirect
+                // hops via isSSRFSafeURL() with follow_location=0, preventing redirect-based bypass.
+                $imageContent = url_get_contents($imageUrl);
+                if ($imageContent === false) {
+                    rateLimitedLog('AI-receiveAsync-image-ssrf-' . md5($imageUrl), 'AI: ' . basename(__FILE__) . ' line=' . __LINE__ . ' SSRF protection blocked URL or fetch failed: ' . $imageUrl);
                 } else {
-                    $imageContent = file_get_contents($imageUrl);

Detection Methods for CVE-2026-43884

Indicators of Compromise

Outbound HTTP requests from AVideo hosts to RFC 1918 ranges, link-local 169.254.169.254, or loopback addresses originating from plugin/AI/receiveAsync.json.php or EPG parser activity.
Web server access logs showing requests to plugin/AI/receiveAsync.json.php or EPG parser endpoints with external URL parameters that resolve to attacker-controlled hosts returning 302 responses.
Unexpected access to cloud instance metadata endpoints recorded in cloud provider audit logs from the AVideo server's IAM role.

Detection Strategies

Monitor egress traffic from PHP application servers and alert on connections to internal address space or cloud metadata IPs from the web server process.
Inspect web access logs for POST or GET parameters containing fully qualified URLs submitted to the affected endpoints, then correlate with downstream outbound connections.
Review cloud audit logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for IMDS credential usage originating from AVideo instance roles in unexpected geographies or services.

Monitoring Recommendations

Deploy network segmentation policies that block AVideo workloads from reaching 169.254.169.254 and any internal management plane unless explicitly required.
Enforce IMDSv2 on AWS to require session tokens, raising the bar for SSRF-driven credential theft.
Log and retain all outbound HTTP requests made by the AVideo PHP process for retrospective hunting.

How to Mitigate CVE-2026-43884

Immediate Actions Required

Upgrade AVideo to a release containing commit 603e7bf77a835584387327e35560262feb075db3 or later.
Rotate any cloud IAM credentials, API keys, and secrets accessible from the AVideo host's instance metadata service.
Restrict access to the AI plugin and EPG parser endpoints to trusted administrative accounts pending patch deployment.

Patch Information

The official fix replaces direct file_get_contents() calls with a new url_get_contents() helper that disables automatic redirect following and re-validates each hop through isSSRFSafeURL(). Patch details are available in the WWBN AVideo commit 603e7bf and the GitHub Security Advisory GHSA-2hch-c97c-g99xg.

Workarounds

Block outbound traffic from the AVideo server to internal CIDR ranges and the cloud metadata IP 169.254.169.254 at the host firewall or security group level.
Enforce IMDSv2 with session tokens and a low hop limit on AWS EC2 instances hosting AVideo.
Disable or restrict the AI plugin and EPG parser features if they are not required in the deployment.

bash

# Example AWS CLI command to enforce IMDSv2 on the AVideo instance
aws ec2 modify-instance-metadata-options \
    --instance-id i-0123456789abcdef0 \
    --http-tokens required \
    --http-put-response-hop-limit 1 \
    --http-endpoint enabled

# Example iptables rule to block link-local metadata access from PHP-FPM user
iptables -A OUTPUT -m owner --uid-owner www-data \
    -d 169.254.169.254 -j REJECT

CVE-2026-43884 Overview

Critical Impact
Authenticated attackers can pivot AVideo servers into internal networks and read cloud instance metadata such as http://169.254.169.254/latest/meta-data/, exposing IAM credentials and internal services.

Affected Products

WWBN AVideo versions up to and including 29.0
plugin/AI/receiveAsync.json.php endpoint
objects/EpgParser.php endpoint

Discovery Timeline

2026-05-11 - CVE-2026-43884 published to NVD
2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43884

Vulnerability Analysis

Root Cause

Attack Vector

php

// Patch in objects/EpgParser.php
// Source: https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3

-        if (!isSSRFSafeURL($this->url)) {
-            throw new \RuntimeException('URL blocked by SSRF protection: ' . $this->url);
-        }
+        // url_get_contents() validates the URL and every redirect hop via isSSRFSafeURL()
+        // with follow_location=0, preventing redirect-based SSRF bypass.
+        $this->content = url_get_contents($this->url);

-        $this->content = @\file_get_contents($this->url);
+        if ($this->content === false) {
+            throw new \RuntimeException('URL blocked by SSRF protection or fetch failed: ' . $this->url);
+        }

-        if (!strpos($http_response_header[0], "200")) {
+        if (!isset($http_response_header[0]) || !strpos($http_response_header[0], "200")) {
             throw new \RuntimeException("Invalid response headers: " . $http_response_header[0], 1);
         }

php

// Patch in plugin/AI/receiveAsync.json.php
// Source: https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3

-                if (!isSSRFSafeURL($imageUrl)) {
-                    rateLimitedLog('AI-receiveAsync-image-ssrf-' . md5($imageUrl), 'AI: ' . basename(__FILE__) . ' line=' . __LINE__ . ' SSRF protection blocked URL: ' . $imageUrl);
+                // SSRF Protection: url_get_contents() validates the URL and all redirect
+                // hops via isSSRFSafeURL() with follow_location=0, preventing redirect-based bypass.
+                $imageContent = url_get_contents($imageUrl);
+                if ($imageContent === false) {
+                    rateLimitedLog('AI-receiveAsync-image-ssrf-' . md5($imageUrl), 'AI: ' . basename(__FILE__) . ' line=' . __LINE__ . ' SSRF protection blocked URL or fetch failed: ' . $imageUrl);
                 } else {
-                    $imageContent = file_get_contents($imageUrl);

Detection Methods for CVE-2026-43884

Indicators of Compromise

Outbound HTTP requests from AVideo hosts to RFC 1918 ranges, link-local 169.254.169.254, or loopback addresses originating from plugin/AI/receiveAsync.json.php or EPG parser activity.
Web server access logs showing requests to plugin/AI/receiveAsync.json.php or EPG parser endpoints with external URL parameters that resolve to attacker-controlled hosts returning 302 responses.
Unexpected access to cloud instance metadata endpoints recorded in cloud provider audit logs from the AVideo server's IAM role.

Detection Strategies

Monitor egress traffic from PHP application servers and alert on connections to internal address space or cloud metadata IPs from the web server process.
Inspect web access logs for POST or GET parameters containing fully qualified URLs submitted to the affected endpoints, then correlate with downstream outbound connections.
Review cloud audit logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for IMDS credential usage originating from AVideo instance roles in unexpected geographies or services.

Monitoring Recommendations

Deploy network segmentation policies that block AVideo workloads from reaching 169.254.169.254 and any internal management plane unless explicitly required.
Enforce IMDSv2 on AWS to require session tokens, raising the bar for SSRF-driven credential theft.
Log and retain all outbound HTTP requests made by the AVideo PHP process for retrospective hunting.

How to Mitigate CVE-2026-43884

Immediate Actions Required

Upgrade AVideo to a release containing commit 603e7bf77a835584387327e35560262feb075db3 or later.
Rotate any cloud IAM credentials, API keys, and secrets accessible from the AVideo host's instance metadata service.
Restrict access to the AI plugin and EPG parser endpoints to trusted administrative accounts pending patch deployment.

Patch Information

Workarounds

Block outbound traffic from the AVideo server to internal CIDR ranges and the cloud metadata IP 169.254.169.254 at the host firewall or security group level.
Enforce IMDSv2 with session tokens and a low hop limit on AWS EC2 instances hosting AVideo.
Disable or restrict the AI plugin and EPG parser features if they are not required in the deployment.

bash

# Example AWS CLI command to enforce IMDSv2 on the AVideo instance
aws ec2 modify-instance-metadata-options \
    --instance-id i-0123456789abcdef0 \
    --http-tokens required \
    --http-put-response-hop-limit 1 \
    --http-endpoint enabled

# Example iptables rule to block link-local metadata access from PHP-FPM user
iptables -A OUTPUT -m owner --uid-owner www-data \
    -d 169.254.169.254 -j REJECT

CVE-2026-43884: WWBN AVideo SSRF Vulnerability

CVE-2026-43884 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-43884

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-43884

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-43884

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-43884: WWBN AVideo SSRF Vulnerability

CVE-2026-43884 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-43884

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-43884

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-43884

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform