GHSA-Q4X6-6MM2-CRG9

Vulnerability from github – Published: 2026-04-08 00:08 – Updated: 2026-04-08 00:08
VLAI?
Summary
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
Details

Summary

The Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers.

The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

Details

The vulnerable chain was:

  1. plugin/Live/view/getRestream.json.php exposed a fresh tokenForAction
  2. plugin/Live/view/Live_restreams/verifyTokenForAction.json.php exchanged it for a valid responseToken
  3. plugin/Live/view/Live_restreams_logs/add.json.php accepted attacker-controlled restreamerURL
  4. plugin/Live/view/getRestream.json.php and plugin/Live/view/Live_restreams/getAction.json.php later fetched that stored URL server-side

The original issue existed because the responseToken was accepted, but the callback destination was not tightly constrained to trusted restreamer endpoints.

The maintainer confirmed the vulnerability and stated that the fix was applied by validating restreamerURL at storage time and re-validating the log-entry branch before use. The maintainer also noted that the m3u8 field follows the same general pattern but is not server-fetched in the current flow.

Proof of concept

  1. Log in as a non-admin user with streaming permission.
  2. Create a normal restream destination.
  3. Trigger plugin/Live/view/Live_restreams/testRestreamer.json.php to create a live transmission history row.
  4. Call:
GET /plugin/Live/view/getRestream.json.php?live_transmitions_history_id=<id>&restreams_id=<id>
  1. Extract tokenForAction from the returned URL.
  2. Exchange it for responseToken via:
POST /plugin/Live/view/Live_restreams/verifyTokenForAction.json.php
  1. Store a loopback callback URL:
POST /plugin/Live/view/Live_restreams_logs/add.json.php
restreamerURL=http://127.0.0.1:9999/index.php
  1. Trigger getRestream.json.php again.
  2. Observe that the returned response now contains the JSON body from the loopback-only service.

Impact

An authenticated streamer can cause the AVideo server to send HTTP requests to loopback or internal services and return the response through normal application endpoints by storing a malicious restreamerURL in the restream log flow. Because the callback destination was not constrained to trusted restreamer endpoints, the application could be used as a proxy to internal-only services that trust network locality. Successful exploitation can expose local admin panels, internal-only APIs, cloud metadata services if reachable, or other sensitive internal responses available from the application host.

Recommended fix

  • Validate restreamerURL against explicitly configured restreamer endpoints at storage time
  • Re-validate the stored callback URL before server-side fetch
  • Bind responseToken to the expected restream row and callback host
  • Apply SSRF validation to the initial destination of every server-side fetch, not only redirect targets
  • Ignore or reject user-supplied callback hosts that do not match trusted configuration
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "WWBN/AVideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:08:42Z",
    "nvd_published_at": "2026-04-07T20:16:30Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Live restream log callback flow accepted an attacker-controlled `restreamerURL` and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers.\n\nThe vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.\n\n## Details\n\nThe vulnerable chain was:\n\n1. `plugin/Live/view/getRestream.json.php` exposed a fresh `tokenForAction`\n2. `plugin/Live/view/Live_restreams/verifyTokenForAction.json.php` exchanged it for a valid `responseToken`\n3. `plugin/Live/view/Live_restreams_logs/add.json.php` accepted attacker-controlled `restreamerURL`\n4. `plugin/Live/view/getRestream.json.php` and `plugin/Live/view/Live_restreams/getAction.json.php` later fetched that stored URL server-side\n\nThe original issue existed because the `responseToken` was accepted, but the callback destination was not tightly constrained to trusted restreamer endpoints.\n\nThe maintainer confirmed the vulnerability and stated that the fix was applied by validating `restreamerURL` at storage time and re-validating the log-entry branch before use. The maintainer also noted that the `m3u8` field follows the same general pattern but is not server-fetched in the current flow.\n\n## Proof of concept\n\n1. Log in as a non-admin user with streaming permission.\n2. Create a normal restream destination.\n3. Trigger `plugin/Live/view/Live_restreams/testRestreamer.json.php` to create a live transmission history row.\n4. Call:\n\n```text\nGET /plugin/Live/view/getRestream.json.php?live_transmitions_history_id=\u003cid\u003e\u0026restreams_id=\u003cid\u003e\n```\n\n5. Extract `tokenForAction` from the returned URL.\n6. Exchange it for `responseToken` via:\n\n```text\nPOST /plugin/Live/view/Live_restreams/verifyTokenForAction.json.php\n```\n\n7. Store a loopback callback URL:\n\n```text\nPOST /plugin/Live/view/Live_restreams_logs/add.json.php\nrestreamerURL=http://127.0.0.1:9999/index.php\n```\n\n8. Trigger `getRestream.json.php` again.\n9. Observe that the returned response now contains the JSON body from the loopback-only service.\n\n## Impact\n\nAn authenticated streamer can cause the AVideo server to send HTTP requests to loopback or internal services and return the response through normal application endpoints by storing a malicious `restreamerURL` in the restream log flow. Because the callback destination was not constrained to trusted restreamer endpoints, the application could be used as a proxy to internal-only services that trust network locality. Successful exploitation can expose local admin panels, internal-only APIs, cloud metadata services if reachable, or other sensitive internal responses available from the application host.\n\n\n## Recommended fix\n\n- Validate `restreamerURL` against explicitly configured restreamer endpoints at storage time\n- Re-validate the stored callback URL before server-side fetch\n- Bind `responseToken` to the expected restream row and callback host\n- Apply SSRF validation to the initial destination of every server-side fetch, not only redirect targets\n- Ignore or reject user-supplied callback hosts that do not match trusted configuration",
  "id": "GHSA-q4x6-6mm2-crg9",
  "modified": "2026-04-08T00:08:42Z",
  "published": "2026-04-08T00:08:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39368"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.