CVE-2026-40907 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: April 23, 2026
WWBN AVideo - Broken Access Control
Published: April 21, 2026Updated: April 23, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 29.0 contains an Insecure Direct Object Reference caused by improper access control in plugin/Live/view/Live_restreams/list.json.php, letting authenticated users with streaming permission access other users' live restream configurations including stream keys and OAuth tokens, exploit requires authenticated streaming permission.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Authenticated users can access sensitive live stream keys and OAuth tokens, risking account compromise and unauthorized streaming.
Mitigation
Update to a version including commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40907
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N