Vulnerability-Lookup

CVE-2026-40907 (GCVE-0-2026-40907)

Vulnerability from cvelistv5 – Published: 2026-04-21 19:50 – Updated: 2026-04-21 20:06

Title

WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens

Summary

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/d5992fff281…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40907",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-21T20:06:53.709815Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-21T20:06:56.844Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users\u0027 live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T19:50:10.257Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7"
        }
      ],
      "source": {
        "advisory": "GHSA-gpgp-w4x2-h3h7",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users\u0027 Stream Keys and OAuth Tokens"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40907",
    "datePublished": "2026-04-21T19:50:10.257Z",
    "dateReserved": "2026-04-15T16:37:22.767Z",
    "dateUpdated": "2026-04-21T20:06:56.844Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40907",
      "date": "2026-04-23",
      "epss": "0.00028",
      "percentile": "0.0812"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40907\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-21T20:17:03.080\",\"lastModified\":\"2026-04-23T19:12:33.060\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users\u0027 live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"29.0\",\"matchCriteriaId\":\"AC38CA07-71C1-4C86-B84A-83CF96367CBA\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40907\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-21T20:06:53.709815Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-21T20:06:45.511Z\"}}], \"cna\": {\"title\": \"WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users\u0027 Stream Keys and OAuth Tokens\", \"source\": {\"advisory\": \"GHSA-gpgp-w4x2-h3h7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 29.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7\", \"name\": \"https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users\u0027 live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T19:50:10.257Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40907\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-21T20:06:56.844Z\", \"dateReserved\": \"2026-04-15T16:37:22.767Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-21T19:50:10.257Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40907

Vulnerability from fkie_nvd - Published: 2026-04-21 20:17 - Updated: 2026-04-23 19:12

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA",
              "versionEndIncluding": "29.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users\u0027 live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue."
    }
  ],
  "id": "CVE-2026-40907",
  "lastModified": "2026-04-23T19:12:33.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-21T20:17:03.080",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-GPGP-W4X2-H3H7

Vulnerability from github – Published: 2026-04-14 22:49 – Updated: 2026-04-14 22:49

Summary

WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens

Details

Summary

The endpoint plugin/Live/view/Live_restreams/list.json.php contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch.

Details

The authorization logic in list.json.php is intended to restrict non-admin users to viewing only their own restream records. However, the implementation at lines 10-14 only enforces this when the users_id GET parameter is absent:

// plugin/Live/view/Live_restreams/list.json.php:6-19
if (!User::canStream()) {
    die('{"data": []}');
}

if (empty($_GET['users_id'])) {       // Line 10: only triggers when param is MISSING
    if (!User::isAdmin()) {
        $_GET['users_id'] = User::getId();  // Line 12: force to own ID
    }
}

if (empty($_GET['users_id'])) {
    $rows = Live_restreams::getAll();
} else {
    $rows = Live_restreams::getAllFromUser($_GET['users_id'], "");  // Line 19: attacker-controlled ID
}

When a non-admin user explicitly supplies ?users_id=<victim_id>, the value is non-empty, so the override at line 12 is never reached. The attacker-controlled ID passes directly to getAllFromUser(), which executes:

// plugin/Live/Objects/Live_restreams.php:90
$sql = "SELECT * FROM live_restreams WHERE users_id = $users_id";

This returns all columns from the live_restreams table, including: - stream_key (VARCHAR 500) — the victim's RTMP stream key for third-party platforms - stream_url (VARCHAR 500) — the RTMP ingest endpoint - parameters (TEXT) — JSON blob containing OAuth credentials (access_token, refresh_token, expires_at) obtained via the restream.ypt.me OAuth flow

Other endpoints in the same directory correctly validate ownership. For example, delete.json.php:19:

if (!User::isAdmin() && $row->getUsers_id() != User::getId()) {
    $obj->msg = "You are not admin";
    die(json_encode($obj));
}

This ownership check is missing from list.json.php.

PoC

Prerequisites: Two user accounts — attacker (user ID 2, streaming permission) and victim (user ID 1, has configured restreams with third-party platform keys).

Step 1: Attacker authenticates and retrieves their session cookie.

Step 2: Attacker requests victim's restream list:

curl -s -b 'PHPSESSID=<attacker_session>' \
  'https://target.com/plugin/Live/view/Live_restreams/list.json.php?users_id=1'

Expected response (normal behavior): Empty data or error.

Actual response: Full restream records for user ID 1:

{
  "data": [
    {
      "id": 1,
      "name": "YouTube Live",
      "stream_url": "rtmp://a.rtmp.youtube.com/live2",
      "stream_key": "xxxx-xxxx-xxxx-xxxx-xxxx",
      "parameters": "{\"access_token\":\"ya29.a0A...\",\"refresh_token\":\"1//0e...\",\"expires_at\":1712600000}",
      "users_id": 1,
      "status": "a"
    }
  ]
}

Step 3: Attacker can enumerate all user IDs (1, 2, 3, ...) to harvest all configured restream credentials across the platform.

Impact

Credential theft: Attacker obtains third-party platform stream keys and OAuth tokens (access_token, refresh_token) for all users who have configured live restreaming.
Unauthorized broadcasting: Stolen RTMP stream keys allow the attacker to broadcast arbitrary content to the victim's YouTube, Facebook, or Twitch channels.
OAuth token abuse: Stolen refresh tokens can be used to obtain new access tokens, providing persistent access to the victim's third-party accounts within the scope of the original OAuth grant.
Full enumeration: User IDs are sequential integers, enabling trivial enumeration of all platform users' restream credentials.

Recommended Fix

Add an ownership check in list.json.php consistent with the pattern used in delete.json.php and add.json.php:

// plugin/Live/view/Live_restreams/list.json.php — replace lines 10-14
if (!User::isAdmin()) {
    $_GET['users_id'] = User::getId();
}

This unconditionally forces non-admin users to their own user ID, regardless of whether the users_id parameter was supplied. The empty() check should be removed so that the parameter cannot be used to bypass the restriction.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:49:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users\u0027 live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch.\n\n## Details\n\nThe authorization logic in `list.json.php` is intended to restrict non-admin users to viewing only their own restream records. However, the implementation at lines 10-14 only enforces this when the `users_id` GET parameter is absent:\n\n```php\n// plugin/Live/view/Live_restreams/list.json.php:6-19\nif (!User::canStream()) {\n    die(\u0027{\"data\": []}\u0027);\n}\n\nif (empty($_GET[\u0027users_id\u0027])) {       // Line 10: only triggers when param is MISSING\n    if (!User::isAdmin()) {\n        $_GET[\u0027users_id\u0027] = User::getId();  // Line 12: force to own ID\n    }\n}\n\nif (empty($_GET[\u0027users_id\u0027])) {\n    $rows = Live_restreams::getAll();\n} else {\n    $rows = Live_restreams::getAllFromUser($_GET[\u0027users_id\u0027], \"\");  // Line 19: attacker-controlled ID\n}\n```\n\nWhen a non-admin user explicitly supplies `?users_id=\u003cvictim_id\u003e`, the value is non-empty, so the override at line 12 is never reached. The attacker-controlled ID passes directly to `getAllFromUser()`, which executes:\n\n```php\n// plugin/Live/Objects/Live_restreams.php:90\n$sql = \"SELECT * FROM live_restreams WHERE users_id = $users_id\";\n```\n\nThis returns all columns from the `live_restreams` table, including:\n- `stream_key` (VARCHAR 500) \u2014 the victim\u0027s RTMP stream key for third-party platforms\n- `stream_url` (VARCHAR 500) \u2014 the RTMP ingest endpoint\n- `parameters` (TEXT) \u2014 JSON blob containing OAuth credentials (`access_token`, `refresh_token`, `expires_at`) obtained via the restream.ypt.me OAuth flow\n\nOther endpoints in the same directory correctly validate ownership. For example, `delete.json.php:19`:\n```php\nif (!User::isAdmin() \u0026\u0026 $row-\u003egetUsers_id() != User::getId()) {\n    $obj-\u003emsg = \"You are not admin\";\n    die(json_encode($obj));\n}\n```\n\nThis ownership check is missing from `list.json.php`.\n\n## PoC\n\n**Prerequisites:** Two user accounts \u2014 attacker (user ID 2, streaming permission) and victim (user ID 1, has configured restreams with third-party platform keys).\n\n**Step 1:** Attacker authenticates and retrieves their session cookie.\n\n**Step 2:** Attacker requests victim\u0027s restream list:\n```bash\ncurl -s -b \u0027PHPSESSID=\u003cattacker_session\u003e\u0027 \\\n  \u0027https://target.com/plugin/Live/view/Live_restreams/list.json.php?users_id=1\u0027\n```\n\n**Expected response (normal behavior):** Empty data or error.\n\n**Actual response:** Full restream records for user ID 1:\n```json\n{\n  \"data\": [\n    {\n      \"id\": 1,\n      \"name\": \"YouTube Live\",\n      \"stream_url\": \"rtmp://a.rtmp.youtube.com/live2\",\n      \"stream_key\": \"xxxx-xxxx-xxxx-xxxx-xxxx\",\n      \"parameters\": \"{\\\"access_token\\\":\\\"ya29.a0A...\\\",\\\"refresh_token\\\":\\\"1//0e...\\\",\\\"expires_at\\\":1712600000}\",\n      \"users_id\": 1,\n      \"status\": \"a\"\n    }\n  ]\n}\n```\n\n**Step 3:** Attacker can enumerate all user IDs (1, 2, 3, ...) to harvest all configured restream credentials across the platform.\n\n## Impact\n\n- **Credential theft:** Attacker obtains third-party platform stream keys and OAuth tokens (access_token, refresh_token) for all users who have configured live restreaming.\n- **Unauthorized broadcasting:** Stolen RTMP stream keys allow the attacker to broadcast arbitrary content to the victim\u0027s YouTube, Facebook, or Twitch channels.\n- **OAuth token abuse:** Stolen refresh tokens can be used to obtain new access tokens, providing persistent access to the victim\u0027s third-party accounts within the scope of the original OAuth grant.\n- **Full enumeration:** User IDs are sequential integers, enabling trivial enumeration of all platform users\u0027 restream credentials.\n\n## Recommended Fix\n\nAdd an ownership check in `list.json.php` consistent with the pattern used in `delete.json.php` and `add.json.php`:\n\n```php\n// plugin/Live/view/Live_restreams/list.json.php \u2014 replace lines 10-14\nif (!User::isAdmin()) {\n    $_GET[\u0027users_id\u0027] = User::getId();\n}\n```\n\nThis unconditionally forces non-admin users to their own user ID, regardless of whether the `users_id` parameter was supplied. The `empty()` check should be removed so that the parameter cannot be used to bypass the restriction.",
  "id": "GHSA-gpgp-w4x2-h3h7",
  "modified": "2026-04-14T22:49:05Z",
  "published": "2026-04-14T22:49:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users\u0027 Stream Keys and OAuth Tokens"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40907 (GCVE-0-2026-40907)

FKIE_CVE-2026-40907

GHSA-GPGP-W4X2-H3H7

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature