Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 29.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7Patch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7ExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7ExploitVendor Advisory
FAQ
What is CVE-2026-40907?
CVE-2026-40907 is a vulnerability with a CVSS score of 6.5 (MEDIUM). WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability...
How severe is CVE-2026-40907?
CVE-2026-40907 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40907?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.