{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40907", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-21T19:50:10.257Z", "dateUpdated": "2026-04-21T20:06:56.844Z"}, "containers": {"cna": {"title": "WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"}, {"name": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:50:10.257Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue."}], "source": {"advisory": "GHSA-gpgp-w4x2-h3h7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:06:53.709815Z", "id": "CVE-2026-40907", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:06:56.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40907", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:06:53.709815Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:06:45.511Z"}}], "cna": {"title": "WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens", "source": {"advisory": "GHSA-gpgp-w4x2-h3h7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 29.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7", "name": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:50:10.257Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40907", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:06:56.844Z", "dateReserved": "2026-04-15T16:37:22.767Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:50:10.257Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA", "versionEndIncluding": "29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue."}], "id": "CVE-2026-40907", "lastModified": "2026-04-23T19:12:33.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:03.080", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/d5992fff2811df4adad1d9fc7d0a5837b882aed7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gpgp-w4x2-h3h7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T05:26:04.257471+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest AVideo release or apply the patch commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 that fixes the IDOR issue.", "Reduce the number of users with streaming permission to only trusted individuals and review existing permissions regularly.", "Generate new stream keys and OAuth tokens for all impacted accounts and revoke the potentially exposed credentials to prevent relay attacks."], "summary": {"action": "Apply Patch", "impact": "Unauthorized disclosure of stream keys and OAuth tokens"}, "threat_synthesis": {"affected_systems": "Versions of WWBN AVideo up to and including 29.0 are affected. The issue specifically targets the plugin/Live/view/Live_restreams/list.json.php endpoint, which collects configuration data for live restreams. Users running an affected version of the open source platform should verify their installation against the latest code release.", "description_and_impact": "WWBN AVideo, an open source video platform, has an IDOR flaw in the Live restream list endpoint that lets any authenticated user with streaming permission view other users\u2019 live restream configurations. The data exposed includes third\u2011party platform stream keys and OAuth tokens for YouTube Live, Facebook Live, and Twitch, which could be used to hijack streams or impersonate channels. CWE\u2011639 indicates that the vulnerability arises from improper authorization controls.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5, reflecting moderate severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated and to have streaming permissions, after which they can directly fetch the target data through the vulnerable endpoint. The most likely attack vector is an internal user or compromised account leveraging normal streaming privileges to request or export the configuration of other users. Given the sensitivity of stream keys and OAuth tokens, any successful exploitation can lead to significant account compromise and service disruptions."}}}}, "created": "2026-04-22T04:15:07.395625+00:00", "updated": "2026-04-22T05:30:09.557867+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}