CVE-2026-34245: Missing Authorization and IDOR in WWBN AVideo PlayLists Plugin

WWBN AVideo, formerly known as YouPHPTube, is a widely deployed open-source video content management system and broadcasting platform. The software includes a highly privileged PlayLists plugin designed to automate content scheduling and distribution. This plugin exposes multiple API endpoints to facilitate background task processing and automated livestreaming functionality.

CVE-2026-34245 identifies a critical missing authorization vulnerability, commonly classified as an Insecure Direct Object Reference (IDOR), within the PlayLists plugin. The flaw specifically resides in the plugin/PlayLists/View/Playlists_schedules/add.json.php endpoint. This specific script handles the creation and modification of playlist broadcast schedules, which are executed asynchronously by the application's cron runner.

The core issue stems from an inadequate authorization model that verifies global streaming permissions but fails to enforce object-level access controls. Any authenticated user possessing fundamental streaming rights can interact with this endpoint. By manipulating the playlists_id parameter, an attacker can arbitrarily assign schedules to any playlist on the platform, irrespective of the actual ownership of the target resource.

Exploitation of this vulnerability results in cross-user broadcast hijacking. The application background workers execute the malicious schedule under the operational context of the victim playlist owner. This mechanism allows unauthorized users to displace legitimate content, disrupt active streams, and distribute arbitrary media through a victim's established broadcast channels.

The root cause of CVE-2026-34245 is a failure to validate the relationship between the authenticated user session and the specific object identifiers provided in HTTP requests. The add.json.php endpoint receives parameters via the $_POST array and utilizes them to instantiate and populate a Playlists_schedules object. The application performs a preliminary check utilizing the User::canStream() method to ensure the requesting user has fundamental broadcasting rights.

This global check is entirely insufficient for endpoints that manipulate user-specific data structures. Following the initial validation, the code directly assigns the user-supplied playlists_id to the schedule object via the $o->setPlaylists_id($_POST['playlists_id']) method. The application executes this assignment without invoking any corresponding verification to determine if the session user is authorized to manage the specified playlist entity.

Furthermore, the vulnerability extends to the modification of existing schedules. The endpoint instantiates an existing schedule using the id parameter provided in the request payload. The system fails to verify the ownership of the instantiated Playlists_schedules object before updating its properties. This allows an attacker to overwrite the configuration of schedules belonging to other platform users.

The vulnerability manifests its impact during the execution phase handled by the background task runner plugin/PlayLists/run.php. When the cron job processes pending schedules, it derives the broadcast execution context from the associated playlists_id. Because the system assumes the database relationships are strictly validated upon entry, the task runner blindly executes the attacker's defined payload using the victim's contextual privileges and broadcast keys.

Analyzing the pre-patch implementation of plugin/PlayLists/View/Playlists_schedules/add.json.php reveals the explicit absence of object-level authorization bounds. The application relies entirely on a singular, global boolean check before accepting user input for object mutation. The vulnerable sequence demonstrates direct assignment from the $_POST superglobal to the underlying data model.

The vulnerable code path executes as follows:

if (!User::canStream()) {
    forbiddenPage(__("You cannot livestream"));
}
 
$o = new Playlists_schedules(@$_POST['id']);
$o->setPlaylists_id($_POST['playlists_id']);
$o->setName($_POST['name']);
if($id = $o->save()){
    $obj->error = false;
}

The patch implemented in commit 1e6dc20172de986f60641eb4fdb4090f079ffdce rectifies this oversight by introducing the PlayLists::canManagePlaylist() validation method. The corrected implementation explicitly verifies the authentication context against both the schedule object and the target playlist identifier.

The remediation introduces a two-stage validation process:

if (!empty($_POST['id'])) {
    $existing = new Playlists_schedules(intval($_POST['id']));
    if (!PlayLists::canManagePlaylist($existing->getPlaylists_id())) {
        forbiddenPage(__("You cannot modify this schedule"));
    }
}
 
if (!PlayLists::canManagePlaylist($_POST['playlists_id'])) {
    forbiddenPage(__("You cannot manage this playlist"));
}

This robust design ensures that users can only mutate schedules they definitively own and strictly blocks assignments to third-party or arbitrary playlists.

Exploitation of CVE-2026-34245 requires an attacker to possess a low-privileged account on the target WWBN AVideo installation with the active stream capability enabled. The attacker must also acquire the numerical playlists_id of the intended victim. This identifier is frequently exposed through the application's public-facing URLs, REST API responses, or HTML source code metadata.

The attack methodology involves crafting a specialized HTTP POST request directed at the vulnerable add.json.php endpoint. The attacker injects the acquired victim identifier into the playlists_id parameter. Simultaneously, the attacker defines the parameters field with a JSON structure containing the source URL of an external, attacker-controlled video stream.

The execution flow is structured as follows:

Upon successful submission, the application acknowledges the payload with a boolean false error response, confirming the schedule injection. The exploitation requires no further interaction. When the system's run.php background task executes at the defined timestamp, it initializes a broadcast session on the victim's channel. The system streams the attacker's designated remote media file, successfully bypassing the required administrative context.

The exploitation of this missing authorization vulnerability yields significant operational impact within the scope of the video platform. The primary consequence is unauthorized broadcast hijacking. By leveraging the background task runner, attackers can inject arbitrary, potentially illicit, or policy-violating content into the live streams of legitimate platform users.

The CVSS v3.1 vector evaluates to CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L with a base score of 6.3. The attack requires low privileges and zero user interaction, making it highly reproducible in multi-tenant environments. Integrity and availability are both impacted, as legitimate schedules are disrupted, and unauthorized data is superimposed over intended broadcast slots.

While confidentiality impact is rated low, the reputational damage to the victim and the platform operator can be severe. The system processes the malicious broadcast under the cryptographic identity and context of the victim. This attribution spoofing complicates incident response and audit trailing, as server logs initially attribute the streaming activity to the legitimate account owner rather than the true threat actor.

According to the Exploit Prediction Scoring System (EPSS), the vulnerability currently holds a minimal probability of widespread active exploitation within the immediate 30-day window (0.03%). This low score is largely attributable to the specialized deployment footprint of WWBN AVideo and the prerequisite of possessing an authenticated streaming account on the specific target instance.

The definitive remediation for CVE-2026-34245 is to upgrade the WWBN AVideo installation to version 26.1 or later. This release incorporates the comprehensive authorization checks necessary to validate object ownership. Administrators must ensure the update process successfully replaces the plugin/PlayLists/View/Playlists_schedules/add.json.php file with the patched implementation.

In scenarios where an immediate software upgrade is not feasible, administrators can manually backport the necessary security controls. This involves applying the precise modifications documented in commit 1e6dc20172de986f60641eb4fdb4090f079ffdce. The manual patch strictly enforces the PlayLists::canManagePlaylist() validation logic prior to object mutation and persistence.

As a supplementary defense-in-depth measure, security teams can deploy specialized Web Application Firewall (WAF) rules. Application-aware WAF configurations can be engineered to intercept requests directed at add.json.php and correlate the supplied playlists_id parameter against the authenticated user's session data. Requests demonstrating identifier mismatches should be actively dropped and logged.

Following remediation, it is critical to conduct a comprehensive audit of existing database records. Administrators should review the playlists_schedules table for anomalous entries, particularly those correlating with external stream sources or irregular scheduling patterns. Identifying and purging malicious schedule records is required to prevent delayed exploitation from payloads injected prior to the application of the security patch.