Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46337

CVE-2026-46337: WWBN AVideo Information Disclosure Flaw

CVE-2026-46337 is an information disclosure vulnerability in WWBN AVideo allowing unauthenticated attackers to read arbitrary image files on the server. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-46337 Overview

CVE-2026-46337 is a path traversal vulnerability [CWE-22] affecting WWBN AVideo, an open source video platform. Versions 29.0 and earlier expose an unauthenticated endpoint that reads arbitrary image files from disk. Remote attackers can retrieve any image file the PHP user can open, including private user-profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication, removing a major barrier to exploitation. The vulnerability bypasses the application's normal serving wrappers that gate image content behind Access Control List (ACL) checks.

Critical Impact

Unauthenticated remote attackers can read arbitrary image files on the host, exposing private user photos, gated thumbnails, and content from sibling applications.

Affected Products

  • WWBN AVideo versions 29.0 and earlier
  • Self-hosted AVideo deployments using PHP-based serving wrappers
  • Sibling applications sharing the filesystem with AVideo installations

Discovery Timeline

  • 2026-05-29 - CVE-2026-46337 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-46337

Vulnerability Analysis

The vulnerability resides in an AVideo image-serving endpoint that accepts a user-supplied path parameter. The endpoint fails to canonicalize the path or restrict access to an allowlisted directory. Attackers supply .. sequences to escape the intended media directory and reach arbitrary locations the PHP process can read.

The endpoint bypasses AVideo's standard ACL wrappers that normally gate private content. As a result, attackers can read user-profile photos marked private, admin thumbnails, encrypted-video poster frames, and image files belonging to other applications hosted on the same server. No credentials, tokens, or session state are required.

The impact is scoped to image file content because the endpoint opens and returns image data. However, any image-rendered file the PHP user can access is exposed, including content sibling applications expect to remain protected.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The endpoint trusts attacker-controlled input when resolving file paths and lacks both directory traversal filtering and a final realpath check against an allowed base directory.

Attack Vector

The attack vector is network-based with low complexity. An attacker issues an HTTP request to the vulnerable endpoint, supplying a relative path containing .. segments. The PHP process resolves the path, opens the target file, and returns its bytes in the HTTP response. No user interaction or authentication is required. See the GitHub Security Advisory GHSA-w4qq-74h6-58wq for technical details.

Detection Methods for CVE-2026-46337

Indicators of Compromise

  • HTTP requests to AVideo image endpoints containing .., %2e%2e, or URL-encoded path traversal sequences
  • Anomalous spikes in requests returning private profile images or thumbnail files to unauthenticated clients
  • Web server access logs showing image responses to clients without authenticated sessions
  • Outbound transfers of image content correlated with single-source scanning patterns

Detection Strategies

  • Inspect web access logs for traversal patterns (..%2f, ....//, encoded variants) targeting AVideo image-handling endpoints
  • Deploy Web Application Firewall (WAF) rules that block path traversal payloads in query parameters and URL paths
  • Correlate unauthenticated requests with responses that contain private media Content-Type headers such as image/jpeg or image/png

Monitoring Recommendations

  • Enable verbose request logging on the AVideo PHP front-end and forward logs to a centralized analytics platform
  • Alert on response sizes that deviate from public-media baselines for unauthenticated requests
  • Monitor filesystem access by the PHP user account for reads outside the documented AVideo media root

How to Mitigate CVE-2026-46337

Immediate Actions Required

  • Upgrade AVideo to a version later than 29.0 that contains the vendor fix referenced in the WWBN security advisory
  • Restrict the PHP-FPM or web server user to a minimal filesystem scope using open_basedir or container mounts
  • Audit web logs for past exploitation attempts targeting the vulnerable image endpoint

Patch Information

WWBN published a security advisory tracked as GHSA-w4qq-74h6-58wq. Administrators should apply the upstream patch from the WWBN AVideo GitHub repository and verify the deployed version after upgrade.

Workarounds

  • Place AVideo behind a reverse proxy that strips .. and encoded traversal sequences from request paths before forwarding
  • Configure open_basedir in php.ini to confine PHP filesystem access to the AVideo installation directory
  • Isolate AVideo from sibling applications by running it in a dedicated container or chroot with no access to neighboring app directories
bash
# Configuration example
# php.ini hardening to constrain PHP filesystem access
open_basedir = "/var/www/avideo/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system"

# Example NGINX rule to block traversal attempts
location ~* \.\./ {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.