CVE-2026-30885 in AVideo
Summary
by MITRE • 03/10/2026
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2026
The vulnerability identified as CVE-2026-30885 affects the WWBN AVideo platform, a popular open source video management system used by organizations for hosting and sharing multimedia content. This security flaw exists in versions prior to 25.0 and represents a critical authorization bypass issue that fundamentally undermines the platform's user privacy and data protection mechanisms. The vulnerability specifically targets the /objects/playlistsFromUser.json.php endpoint which serves as a gateway for retrieving playlist information from the system's database. The flaw allows any unauthenticated user to access sensitive playlist metadata without providing valid credentials or demonstrating proper authorization rights.
The technical implementation of this vulnerability stems from inadequate access control enforcement within the platform's API layer. The /objects/playlistsFromUser.json.php endpoint fails to implement proper authentication checks or user session validation before serving playlist data. This design flaw enables attackers to directly query the endpoint with arbitrary user identifiers and receive comprehensive playlist information including playlist names, associated video IDs, and playlist status indicators. The vulnerability operates at the application logic level and represents a classic case of insufficient authorization controls as classified under CWE-285. The lack of proper input validation and access restriction mechanisms creates a pathway for unauthorized data enumeration and information disclosure attacks.
The operational impact of this vulnerability extends beyond simple information disclosure to create significant risks for platform users and administrators. An unauthenticated attacker can systematically enumerate user accounts by making repeated requests to the endpoint, effectively mapping the user base of the video platform. This enumeration capability allows malicious actors to discover active user accounts and their associated playlist collections, potentially leading to targeted attacks against specific users or organizations. The exposure of playlist names and video IDs provides attackers with valuable intelligence for social engineering campaigns, content scraping operations, or targeted exploitation attempts. Additionally, the ability to retrieve playlist status information could reveal sensitive operational details about content management practices or user engagement patterns.
The vulnerability aligns with several ATT&CK framework techniques including T1087.001 for account discovery and T1566 for credential harvesting through information gathering. The exposure of playlist data could facilitate further attacks by providing attackers with content metadata that might reveal sensitive information or help in crafting more convincing phishing campaigns. Organizations using affected versions of AVideo face potential reputational damage, privacy violations, and compliance issues if user playlist information is compromised. The vulnerability also creates opportunities for automated scraping of content collections, potentially leading to intellectual property theft or unauthorized content distribution.
The fix implemented in version 25.0 addresses this vulnerability by introducing proper authentication and authorization checks within the playlist retrieval endpoint. This mitigation follows standard security best practices for API endpoint protection and aligns with the principle of least privilege. Organizations should immediately upgrade to version 25.0 or later to remediate this vulnerability. Additionally, system administrators should implement network-level monitoring to detect unusual access patterns to the affected endpoint and consider implementing rate limiting to prevent automated enumeration attempts. The vulnerability demonstrates the critical importance of proper access control implementation in web applications and serves as a reminder of the potential consequences when authentication mechanisms fail to properly validate user credentials and authorization levels.