Cyber Resilience

CVE-2026-41056

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0034 25.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41056 is a high-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-41056 is a cross-origin resource sharing (CORS) misconfiguration vulnerability affecting WWBN AVideo, an open source video platform, in versions 29.0 and below. The issue resides in the `allowOrigin($allowAll=true)` function within `objects/functions.php`, which indiscriminately reflects any arbitrary `Origin` header value back in the `Access-Control-Allow-Origin` response header while also setting `Access-Control-Allow-Credentials: true`. This function is invoked by key API endpoints, including `plugin/API/get.json.php` and `plugin/API/set.json.php`, which manage user data retrieval, authentication, livestream credentials, and state-changing operations. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains).

An attacker can exploit this vulnerability by hosting a malicious website that tricks an authenticated user into visiting it, leveraging the application's `SameSite=None` session cookie policy. This enables the attacker's site to perform credentialed cross-origin requests to the AVideo instance, reading sensitive authenticated API responses. Potential impacts include theft of user personally identifiable information (PII), livestream keys, and execution of state-changing operations on behalf of the victim, such as modifying user data or other administrative actions.

Mitigation is available via a patch in commit caf705f38eae0ccfac4c3af1587781355d24495e on the WWBN/AVideo GitHub repository. The GitHub Security Advisory GHSA-ccq9-r5cw-5hwq provides further details on the issue and recommends upgrading to a patched version to enforce proper origin validation and restrict cross-origin access.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` —…

more

the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CORS misconfiguration in public-facing API endpoints directly enables exploitation of the web application to perform unauthorized credentialed cross-origin requests for data access and state changes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-33297Same product: Wwbn Avideo
CVE-2026-41057Same product: Wwbn Avideo
CVE-2020-37172Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-33719Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 29.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces cross-domain policies to control information flow between trusted and untrusted origins, directly preventing unauthorized credentialed access to sensitive APIs via misconfigured CORS.

prevent

Mediates information flows based on approved policies, restricting API responses to only authorized origins and blocking reflection of arbitrary Origin headers.

prevent

Mandates secure configuration settings for web applications, ensuring Access-Control-Allow-Origin is restricted to trusted domains rather than allowing all with credentials.

References