CVE-2026-34731Missing Authentication for Critical Function in Avideo

CWE-306Missing Authentication for Critical Function4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 61.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 31
Latest updateApr 1

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

🔴Vulnerability Details

2
OSV
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php2026-04-01
GHSA
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php2026-04-01

🕵️Threat Intelligence

1
Wiz
CVE-2026-34731 Impact, Exploitability, and Mitigation Steps | Wiz