CVE-2026-45620: WWBN AVideo User Enumeration Vulnerability (Medium)
CVE-2026-45620 is a user enumeration vulnerability in WWBN AVideo version 29.0 and earlier. The `objects/mention.json.php` endpoint lacks proper authentication controls and allows attackers to discover valid usernames on the platform without logging in. An attacker can craft requests to the endpoint and enumerate users by checking responses, potentially gathering intelligence for follow-up attacks like credential stuffing or targeted social engineering.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-204, CWE-285
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the `objects/mention.json.php` file, which implements only a basic entry guard using a regex pattern (`preg_match('/^@/', $_REQUEST['term'])`) and a hard-coded `rowCount=10` parameter. Critically, the endpoint contains neither `User::loginCheck()` nor administrative authorization gates, allowing unauthenticated HTTP requests to query user data. CWE-204 (Observable Discrepancy) and CWE-285 (Improper Authorization) classify the underlying issues: the endpoint reveals user existence through response differentiation without requiring authentication.
Business impact
User enumeration may seem low-impact in isolation, but it serves as reconnaissance for larger attack campaigns. Threat actors can build comprehensive username lists for the target organization, enabling credential attacks, spear-phishing tailored to real usernames, or social engineering. For enterprises running AVideo internally (e.g., corporate video platforms or media organizations), this can expose organizational structure and employee names to external adversaries. The cumulative risk increases if combined with password spray or breach data correlation attacks.
Affected systems
WWBN AVideo version 29.0 and earlier are affected. Organizations running this self-hosted video platform should verify their installed version immediately. Later versions (if available) should be checked against vendor advisories for confirmation of remediation.
Exploitability
Exploitability is straightforward and requires no authentication, special privileges, or user interaction. An attacker with network access to the AVideo instance can repeatedly call the endpoint with varying input parameters to enumerate users. The attack is network-accessible (AV:N) and of low complexity (AC:L), making it a practical reconnaissance vector for any external threat actor.
Remediation
Upgrade WWBN AVideo to a patched version that implements proper authentication checks (User::loginCheck()) and role-based authorization before returning user data from the mention endpoint. Verify the specific patch version in the WWBN advisory. As an interim mitigation, restrict network access to the `objects/mention.json.php` endpoint via firewall rules or reverse proxy, or disable the endpoint if not critical to operations.
Patch guidance
Consult the official WWBN AVideo release notes and security advisories for the recommended patch version. Patches should include authentication enforcement and removal or hardening of the entry guard. Test patches in a non-production environment before deployment to ensure compatibility with existing customizations or third-party integrations. Document the patching date for compliance records.
Detection guidance
Monitor logs for repeated requests to `objects/mention.json.php` with varying `term` parameters, especially those prefixed with '@' (matching the regex pattern). High-frequency requests from a single source IP to this endpoint are suspicious. Implement alerting for HTTP 200 responses with user data returned from unauthenticated contexts. Consider deploying a Web Application Firewall (WAF) rule to flag or block requests to this endpoint from non-authenticated sessions.
Why prioritize this
Although classified as MEDIUM severity (CVSS 5.3), this vulnerability should not be deprioritized. User enumeration is a foundational reconnaissance technique; patching closes an information leak that attackers actively exploit in multi-stage campaigns. Organizations with public-facing AVideo instances or those in regulated industries (media, finance) should prioritize remediation to reduce reconnaissance surface area.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects low attack complexity, no privilege requirement, and network accessibility, balanced against limited confidentiality impact (usernames alone) and no integrity or availability impact. However, the practical risk is elevated by the endpoint's unauthenticated nature and the role of user enumeration in attack chains; scoring reflects the vulnerability in isolation rather than its use as a stepping stone.
Frequently asked questions
Can an attacker enumerate all users at once, or only in batches?
The hard-coded `rowCount=10` limits each request to 10 results. An attacker would need to iterate through multiple requests with different `term` values to build a complete user list, but this is easily automated and detectable if proper logging is in place.
Does this vulnerability allow password attacks or account takeover?
No. Enumeration alone does not grant access to passwords or account credentials. However, it significantly reduces the effort required for brute-force or spray attacks by confirming valid usernames beforehand, making downstream attacks more efficient.
What if we run AVideo on a private network behind a firewall?
Internal deployment reduces external attacker access, but does not eliminate risk from insider threats or lateral movement by adversaries already on the network. Patching remains the correct long-term remediation regardless of network topology.
Are there any known exploits or active exploitation?
This CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Nonetheless, user enumeration is a well-understood attack pattern and likely to be incorporated into reconnaissance tooling by threat actors scanning for vulnerable AVideo instances.
This analysis is provided for informational purposes and reflects the CVE data, vendor advisories, and CWE definitions available as of the publication date. Security teams should verify patch availability and compatibility with their deployment before proceeding with updates. Consult WWBN AVideo's official advisory and your organization's change management procedures. This explainer does not constitute professional security advice; engage qualified security personnel for environment-specific remediation planning. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel