CVE-2026-34732
Published: 31 March 2026
Summary
CVE-2026-34732 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations for access to system resources, directly addressing the missing authentication and authorization checks on the vulnerable list.json.php endpoints.
Requires explicit identification and authorization of permitted actions without identification or authentication, preventing unauthenticated listing of sensitive data via the affected endpoints.
Requires identification and authentication of non-organizational users before accessing platform resources, mitigating unauthenticated exposure of PII and other sensitive information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes unauthenticated public endpoints in a web application, directly enabling remote exploitation of public-facing applications (T1190) to retrieve sensitive data stored on the local system (T1005).
NVD Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php…
more
template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34732 affects WWBN AVideo, an open source video platform, in versions 26.0 and prior. The vulnerability stems from the CreatePlugin template for list.json.php, which lacks any authentication or authorization checks. Unlike the companion templates add.json.php and delete.json.php that require admin privileges, list.json.php was shipped without such protections. This omission propagates to every plugin generated with the CreatePlugin code generator, creating 21 unauthenticated data listing endpoints that expose sensitive information such as user personally identifiable information (PII), payment transaction logs, IP addresses, user agents, and internal system records. The issue is classified under CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation involves sending HTTP requests to the affected list.json.php endpoints, allowing remote retrieval of the sensitive data without credentials. Successful attacks result in low-impact confidentiality breaches, enabling data exposure but without affecting integrity or availability.
The GitHub security advisory (GHSA-g2mg-cgr6-vmv7) details the issue but notes that, at the time of publication on 2026-03-31, no publicly available patches exist for this vulnerability. Security practitioners should monitor the AVideo repository for updates and consider implementing custom authentication checks on the affected endpoints as an interim measure.
Details
- CWE(s)