CVE-2024-29026 in Owncast
Summary
by MITRE • 03/21/2024
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/15/2025
The vulnerability identified as CVE-2024-29026 affects Owncast, an open source self-hosted live video streaming and chat server designed for decentralized communication. This particular flaw exists in versions 0.1.2 and earlier, representing a significant security weakness that undermines the integrity of the system's access controls. The vulnerability stems from an overly permissive Cross-Origin Resource Sharing (CORS) policy implementation that fails to properly validate origin requests, creating a pathway for malicious actors to exploit the system's security boundaries.
The technical flaw manifests through a lenient CORS configuration that permits unauthorized cross-origin requests to access privileged system information. This misconfiguration allows attackers to craft malicious requests that bypass normal security restrictions, enabling them to extract sensitive data including administrator credentials. The vulnerability specifically targets the server's authentication mechanisms by exploiting the weak CORS policy to read administrative information that should remain protected within the system's secure boundaries. The commit 9215d9ba0f29d62201d3feea9e77dcd274581624 referenced in the fix addresses this by implementing stricter CORS validation controls that properly enforce origin restrictions and prevent unauthorized data access.
The operational impact of this vulnerability is severe for Owncast users who rely on the system for secure communication and content management. An attacker who successfully exploits this vulnerability can gain unauthorized access to administrative credentials, potentially leading to complete system compromise. This unauthorized access could enable malicious actors to modify streaming configurations, manipulate chat content, access user data, or even take control of the entire streaming infrastructure. The vulnerability particularly affects single-user deployments where administrative access is critical for maintaining system integrity and user privacy. The exposure of admin passwords through this CORS misconfiguration creates a direct path to system takeover and unauthorized modifications.
Security mitigations for this vulnerability require immediate implementation of the fix provided in commit 9215d9ba0f29d62201d3feea9e77dcd274581624 which enforces proper CORS policy validation. Organizations should update their Owncast installations to versions greater than 0.1.2 to prevent exploitation. Additionally, system administrators should implement comprehensive monitoring of cross-origin requests to detect potential abuse attempts. The fix aligns with security best practices outlined in CWE-346, which addresses "Origin Validation Error", and addresses the ATT&CK technique T1566.002 for "Phishing: Spearphishing Attachments". Network-level protections should include implementing proper CORS headers that explicitly define allowed origins and prevent wildcard configurations that could enable unauthorized access to privileged information.