CVE-2026-45620 Overview
CVE-2026-45620 is an information disclosure vulnerability in WWBN AVideo, an open source video platform. The flaw exists in objects/mention.json.php, which lacks both User::loginCheck() and an administrative authorization gate. The endpoint only enforces an entry guard using preg_match('/^@/', $_REQUEST['term']) and a hard-coded rowCount=10. This design allows unauthenticated attackers to enumerate valid usernames on affected instances. The issue impacts AVideo version 29.0 and earlier and falls under CWE-204: Observable Response Discrepancy.
Critical Impact
Remote attackers can enumerate registered AVideo users without authentication, exposing identity data that supports targeted credential stuffing and phishing campaigns.
Affected Products
- WWBN AVideo 29.0
- WWBN AVideo versions prior to 29.0
- Deployments exposing objects/mention.json.php to the public internet
Discovery Timeline
- 2026-05-29 - CVE-2026-45620 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45620
Vulnerability Analysis
The vulnerability resides in the mention auto-complete endpoint objects/mention.json.php. AVideo uses this endpoint to suggest usernames when an authenticated user types @ in comments or chat. The endpoint queries the user table and returns up to ten matching account records as JSON. Because the file does not invoke User::loginCheck() or any administrative gate, any unauthenticated client can submit requests. The only restriction is a regular expression requiring the term parameter to start with @. An attacker can iterate through letter prefixes such as @a, @b, @ab to harvest valid usernames across the platform.
Root Cause
The root cause is missing authentication on a sensitive data endpoint. Standard AVideo controllers wrap user data lookups behind User::loginCheck(), but mention.json.php omits this control. The hard-coded rowCount=10 was treated as sufficient rate limiting, yet it does not prevent enumeration because attackers can vary the search term to retrieve different result sets. The pattern matches CWE-204, where response content reveals whether queried identities exist.
Attack Vector
Exploitation requires only network access to the AVideo instance. An attacker sends HTTP requests to objects/mention.json.php with the term parameter prefixed by @. The server responds with JSON containing usernames matching the prefix. By systematically varying the prefix, an attacker compiles a comprehensive list of registered accounts. Enumerated usernames feed downstream attacks including password spraying, credential stuffing, and targeted phishing against platform users.
No verified proof-of-concept code is published. Refer to the GitHub Security Advisory GHSA-vpfx-pxqw-2w79 for vendor-confirmed technical details.
Detection Methods for CVE-2026-45620
Indicators of Compromise
- High-volume GET or POST requests to objects/mention.json.php from a single source address
- Sequential term parameter values iterating through alphabetic prefixes such as @a, @b, @c
- Requests to the mention endpoint originating from sessions that never authenticated
- Spikes in JSON responses returning user records to anonymous clients
Detection Strategies
- Inspect web server access logs for unauthenticated calls to objects/mention.json.php and alert on burst patterns
- Deploy a WAF rule that flags requests to the mention endpoint without a valid session cookie
- Baseline normal mention endpoint traffic and alert on deviations exceeding typical user behavior
- Correlate enumeration attempts with subsequent failed login bursts to detect chained attacks
Monitoring Recommendations
- Forward AVideo web logs to a centralized SIEM and create a rule for repeated mention.json.php access
- Track the ratio of unique term values per source IP over rolling time windows
- Monitor for follow-on authentication failures against enumerated usernames
- Review CDN or reverse proxy logs for bot traffic targeting JSON endpoints
How to Mitigate CVE-2026-45620
Immediate Actions Required
- Upgrade WWBN AVideo to a version later than 29.0 that includes the vendor fix referenced in GHSA-vpfx-pxqw-2w79
- Restrict access to objects/mention.json.php at the web server or WAF layer until patching completes
- Audit web logs for prior enumeration activity and rotate credentials of any accounts that show suspicious follow-on login attempts
Patch Information
WWBN released a security advisory through GitHub. Review the WWBN AVideo Security Advisory GHSA-vpfx-pxqw-2w79 for the fixed version and patch commit details. The fix adds an authentication check to the mention endpoint so only logged-in users can query username suggestions.
Workarounds
- Block unauthenticated requests to objects/mention.json.php using a reverse proxy or WAF rule that requires a valid session cookie
- Add a server-side require_once for the AVideo authentication helper and enforce User::loginCheck() at the top of the affected file as a temporary patch
- Rate limit requests to JSON endpoints by source IP to slow enumeration attempts
- Enforce account lockout and multi-factor authentication to reduce the value of harvested usernames
# Example nginx configuration to block unauthenticated access to the mention endpoint
location = /objects/mention.json.php {
if ($cookie_PHPSESSID = "") {
return 403;
}
limit_req zone=mention_zone burst=5 nodelay;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
