CVE-2026-41057
Published: 21 April 2026
Summary
CVE-2026-41057 is a high-severity Origin Validation Error (CWE-346) vulnerability in Wwbn Avideo. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CWE-346 Origin Validation Error by requiring validation of the Origin header prior to allowing credentialed cross-origin requests to API endpoints.
Enforces approved information flow control policies to prevent unauthorized cross-origin access to sensitive authenticated API responses containing PII and session data.
Monitors and controls communications at system boundaries to block or restrict improper CORS reflections on /api/* endpoints from arbitrary origins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a CORS origin validation error in a public-facing web application's API endpoints, directly enabling exploitation of the internet-facing AVideo instance via cross-origin credentialed requests to read sensitive data.
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1)…
more
`plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.
Deeper analysisAI
WWBN AVideo, an open source video platform, is affected by CVE-2026-41057 in versions 29.0 and below. The vulnerability stems from an incomplete CORS origin validation fix introduced in commit 986e64aad. Specifically, two code paths still reflect arbitrary Origin headers while allowing credentials for all /api/* endpoints: (1) plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code executes, and (2) the allowOrigin(true) function invoked by get.json.php and set.json.php reflects any origin with Access-Control-Allow-Credentials: true. This flaw is classified under CWE-346 (Origin Validation Error) with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
An attacker can exploit this vulnerability by tricking a victim into visiting a malicious website, enabling cross-origin credentialed requests to the vulnerable AVideo instance's API endpoints. No privileges are required (PR:N), and exploitation is network-accessible (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as clicking a link. Successful exploitation allows the attacker to read authenticated responses, disclosing sensitive user data including PII, email addresses, admin status, and session-sensitive information, with high confidentiality impact (C:H) and low integrity impact (I:L).
The GitHub security advisory GHSA-ff5q-cc22-fgp4 and fixing commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 detail the patch, which addresses the incomplete CORS validation by properly restricting origin reflection and credential allowance in the affected code paths. Security practitioners should upgrade to a version incorporating this commit and verify CORS headers on API endpoints.
Details
- CWE(s)