WWBN AVideo CORS Vulnerability (CVE-2026-41057)
WWBN AVideo versions 29.0 and below are vulnerable to cross-origin credentialed requests to API endpoints due to an incomplete CORS origin validation fix, potentially exposing sensitive user data.
WWBN AVideo, an open-source video platform, is susceptible to a CORS vulnerability (CVE-2026-41057) in versions 29.0 and below. The vulnerability stems from an incomplete fix for CORS origin validation. Specifically, two code paths, plugin/API/router.php and allowOrigin(true) called by get.json.php and set.json.php, reflect arbitrary Origin headers, allowing credentials for all /api/* endpoints. This flaw enables attackers to bypass CORS restrictions and make cross-origin credentialed requests. A fix has been implemented in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13. This vulnerability could lead to the exposure of sensitive information, including user PII, email addresses, admin status, and session-sensitive data. Defenders should prioritize patching affected AVideo instances.
Attack Chain
- Attacker identifies an AVideo instance running version 29.0 or below.
- Attacker crafts a malicious webpage containing JavaScript code designed to make cross-origin requests to the vulnerable AVideo instance's
/api/*endpoints. - The malicious webpage sets the
Originheader to an arbitrary value. - Due to the incomplete CORS validation in
plugin/API/router.php, the server reflects the arbitrary origin. - Alternatively, the malicious webpage triggers
get.json.phporset.json.php, which callallowOrigin(true)and reflect the arbitrary origin withAccess-Control-Allow-Credentials: true. - The attacker's JavaScript code sends a credentialed request (e.g., including cookies) to the
/api/*endpoint. - The AVideo server processes the request and returns an authenticated response containing user PII, email, admin status, and session-sensitive data.
- The attacker's malicious webpage extracts and exfiltrates the sensitive data from the response.
Impact
Successful exploitation of CVE-2026-41057 allows attackers to bypass CORS restrictions and access sensitive information from vulnerable AVideo instances. This includes user PII, email addresses, admin status, and session-sensitive data. The impact could range from unauthorized access to user accounts to complete compromise of the AVideo platform, depending on the specific API endpoint targeted and the permissions of the compromised user. The number of victims is dependent on the number of vulnerable AVideo instances exposed to the internet.
Recommendation
- Apply the patch from commit
5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13to remediate CVE-2026-41057. - Deploy the Sigma rules provided to detect attempts to exploit this CORS vulnerability within web server logs.
- Monitor web server logs for requests to
/api/*endpoints with unusual or unexpectedOriginheaders. - Implement proper CORS validation on all AVideo instances, ensuring that only trusted origins are allowed to access sensitive API endpoints.
Detection coverage 2
AVideo API Access with Suspicious Origin Header
mediumDetects access to AVideo API endpoints with a non-empty Origin header, which could indicate a CORS exploitation attempt.
AVideo API POST Request with Credentialed Origin
highDetects POST requests to AVideo API endpoints with a credentialed `Origin` header which may indicate potential exploitation of CORS vulnerability.
Detection queries are available on the platform. Get full rules →