CVE-2026-40907— WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40907
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在安全漏洞,该漏洞源于plugin/Live/view/Live_restreams/list.json.php端点存在不安全的直接对象引用,可能导致具有流媒体权限的经过身份验证的用户检索其他用户的实时转流配置。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40907
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40907
请登录查看更多情报信息。
Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total
| CVE-2026-40911 | 10.0 CRITICAL | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaSc |
| CVE-2026-41064 | 9.3 CRITICAL | AVideo has an incomplete fix for CVE-2026-33502 (Command Injection) |
| CVE-2026-40909 | 8.7 HIGH | WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File W |
| CVE-2026-41055 | 8.6 HIGH | AVideo has an incomplete fix for CVE-2026-33039 (SSRF) |
| CVE-2026-40925 | 8.3 HIGH | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeo |
| CVE-2026-41058 | 8.1 HIGH | AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo |
| CVE-2026-41056 | 8.1 HIGH | AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enable |
| CVE-2026-41060 | 7.7 HIGH | AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL |
| CVE-2026-41057 | 7.1 HIGH | AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) t |
| CVE-2026-40926 | 7.1 HIGH | WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Scrip |
| CVE-2026-41062 | 6.5 MEDIUM | WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in Rec |
| CVE-2026-40929 | 5.4 MEDIUM | WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comme |
| CVE-2026-40928 | 5.4 MEDIUM | AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Cr |
| CVE-2026-41063 | 5.4 MEDIUM | WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) |
| CVE-2026-41061 | 5.4 MEDIUM | WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiv |
| CVE-2026-40908 | 5.3 MEDIUM | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes De |
| CVE-2026-40935 | 5.3 MEDIUM | WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token |
| CVE-2026-41304 | WWBN AVideo vulnerable to RCE caused by clonesite plugin |
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. Comments for CVE-2026-40907
No comments yet