{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34369", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-03-27T18:13:23.534Z", "dateUpdated": "2026-03-27T18:13:23.534Z"}, "containers": {"cna": {"title": "AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh"}, {"name": "https://github.com/WWBN/AVideo/commit/be344206f2f461c034ad2f1c5d8212dd8a52b8c7", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/be344206f2f461c034ad2f1c5d8212dd8a52b8c7"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:13:23.534Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue."}], "source": {"advisory": "GHSA-q6jj-r49p-94fh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue."}], "id": "CVE-2026-34369", "lastModified": "2026-03-27T19:16:42.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T19:16:42.737", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/be344206f2f461c034ad2f1c5d8212dd8a52b8c7"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:23:07.385993+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version newer than 26.0 that includes the authentication check for the API endpoints.", "If an upgrade is not feasible immediately, restrict or guard the get_api_video and get_api_video_file endpoints so that only authenticated requests can retrieve playback URLs.", "Test the API after applying changes to confirm that password-protected videos no longer return playback URLs to unauthenticated callers."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted access to password-protected video URLs"}, "threat_synthesis": {"affected_systems": "AVideo, the open source video platform maintained by WWBN, is affected in all released versions up to and including 26.0. Users running any of these versions and relying on the protected-video feature should verify which version they are using. Later revisions after the fix are not impacted.", "description_and_impact": "The vulnerability allows an unauthenticated caller of AVideo's API endpoints to obtain direct video playback URLs for content that is otherwise protected by a password. Because the API path does not perform the same password check that the normal web player uses, the attacker can retrieve the full MP4 and HLS stream locations and play them without any credential. This results in unauthorized disclosure of the protected video media and undermines the platform's privacy controls. The weakness is a missing authorization check (CWE-862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity risk, and the absence of network restriction means any external actor can call the API without authentication. Because the vulnerability does not rely on a complex condition or privilege escalation, it is relatively easy to exploit, subject to the availability of the video ID, which is generally public. Although the vulnerability is not presently listed in CISA's KEV catalog and EPSS data are not available, the straightforward nature of the attack and the potential for privacy loss make immediate remediation advisable."}}}}, "created": "2026-03-27T20:27:50.472948+00:00", "updated": "2026-03-27T20:27:50.472978+00:00", "vendors": []}