CVE-2026-45619: Wwbn Avideo SSRF Vulnerability

CVE-2026-45619 Overview

CVE-2026-45619 affects WWBN AVideo, an open source video platform. The vulnerability exists in versions 29.0 and earlier. Affected code paths include EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations that perform outbound HTTP requests. These call sites validate URLs through isSSRFSafeURL() but discard the $resolvedIP out-parameter. As a result, the validated hostname is resolved again by cURL at request time, creating a Time-of-Check Time-of-Use (TOCTOU) race exploitable through DNS rebinding. The weakness maps to [CWE-367].

Critical Impact
A remote unauthenticated attacker can bypass Server-Side Request Forgery (SSRF) protections and force the AVideo server to issue HTTP requests to internal hosts, exposing internal services and metadata endpoints.

Affected Products

WWBN AVideo 29.0
WWBN AVideo prior to 29.0
Deployments using EpgParser.php or the AI plugin receiveAsync.json.php

Discovery Timeline

2026-05-29 - CVE-2026-45619 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-45619

Vulnerability Analysis

WWBN AVideo defends against SSRF by calling isSSRFSafeURL() before performing outbound HTTP requests. The helper resolves the hostname and returns the resolved IP through a $resolvedIP out-parameter so callers can pin that address. Affected call sites, including EpgParser.php and plugin/AI/receiveAsync.json.php, ignore this out-parameter. They pass the original URL directly to cURL without setting CURLOPT_RESOLVE. cURL then performs a second DNS lookup, which an attacker controls.

An attacker registers a domain whose authoritative DNS server returns different answers on successive queries. The first query, made by isSSRFSafeURL(), returns a public IP that passes the safety check. The second query, made by cURL, returns an internal address such as 127.0.0.1, 169.254.169.254, or an RFC1918 host. The HTTP request is sent to the internal target while the validator believes traffic is destined for a safe endpoint.

Root Cause

The root cause is a TOCTOU race between the validation lookup and the request lookup. The validator already produces the safe resolved IP, but callers discard it. Without CURLOPT_RESOLVE pinning, cURL re-resolves the hostname and accepts whatever answer DNS returns at request time.

Attack Vector

Exploitation is network-based and requires no authentication or user interaction. The attacker hosts a domain configured with a low TTL and a rebinding response strategy. They submit a URL referencing that domain to an AVideo endpoint that invokes the vulnerable HTTP client, such as the EPG parser or the AI plugin async receiver. AVideo validates the first DNS answer, then issues the request against the second answer, reaching internal services.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-c3ch-22rq-xfwr for vendor details.

Detection Methods for CVE-2026-45619

Indicators of Compromise

Outbound HTTP requests from the AVideo PHP-FPM or web server process to RFC1918, loopback, or link-local addresses such as 169.254.169.254.
Repeated DNS queries from the AVideo host for the same external domain within milliseconds, returning different A records.
Access entries in EPG parser logs or plugin/AI/receiveAsync.json.php referencing attacker-controlled hostnames with short TTL values.

Detection Strategies

Inspect web server access logs for requests to AVideo endpoints that accept user-supplied URLs, correlated with outbound traffic to internal subnets.
Deploy egress filtering and alert on connections from the AVideo server toward cloud metadata IPs or management interfaces.
Use passive DNS analysis to flag domains that resolve to both public and private IP space within a short window.

Monitoring Recommendations

Forward AVideo web logs, PHP error logs, and host DNS query logs to a centralized analytics platform for correlation.
Monitor cURL outbound traffic from the web tier and alert on destinations outside the expected allowlist.
Track changes to EpgParser.php and files under plugin/AI/ for tampering or unexpected versions.

How to Mitigate CVE-2026-45619

Immediate Actions Required

Upgrade WWBN AVideo to a release later than 29.0 that contains the fix referenced in GHSA-c3ch-22rq-xfwr.
Restrict outbound network access from the AVideo server to only the destinations required for operation.
Block access from the AVideo host to cloud metadata services and internal management ranges at the network layer.

Patch Information

WWBN published the fix and disclosure in the GitHub Security Advisory GHSA-c3ch-22rq-xfwr. The remediation updates affected call sites to consume the $resolvedIP out-parameter from isSSRFSafeURL() and pin it through CURLOPT_RESOLVE, eliminating the second DNS lookup.

Workarounds

Place AVideo behind an egress proxy that enforces an allowlist of destination hostnames and resolved IPs.
Disable or restrict access to AI plugin endpoints and EPG parsing features until the patched version is deployed.
Configure the host firewall to deny outbound traffic from the web process to private, loopback, and link-local ranges.

bash

# Example iptables egress restriction for the AVideo web user
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j REJECT