CVE-2026-34247: Insecure Direct Object Reference and Information Disclosure in WWBN AVideo
Vulnerability ID: CVE-2026-34247
CVSS Score: 5.4
Published: 2026-03-29
WWBN AVideo versions up to and including 26.0 suffer from a Missing Authorization (IDOR) vulnerability in the plugin/Live/uploadPoster.php endpoint. An authenticated attacker can overwrite the poster image of any scheduled live stream. Furthermore, the exploitation triggers a WebSocket broadcast that leaks the victim's private broadcast key and user ID to all connected clients.
TL;DR
An IDOR flaw in WWBN AVideo's uploadPoster.php allows low-privileged authenticated users to overwrite stream posters and extract private broadcast keys of other users via WebSocket broadcasts.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network
- CVSS Score: 5.4
- EPSS Score: 0.00009
- Impact: Information Disclosure & File Overwrite
- Exploit Status: PoC Available
- Privileges Required: Low
Affected Systems
- WWBN AVideo
-
AVideo: <= 26.0 (Fixed in:
26.1)
Code Analysis
Commit: 5fcb3bd
Add authorization check to verify schedule ownership during poster upload
Mitigation Strategies
- Upgrade WWBN AVideo to version 26.1 or later
- Apply the authorization patch manually to uploadPoster.php
- Implement WAF rules to monitor POST requests to uploadPoster.php
Remediation Steps:
- Create a full backup of the AVideo installation and database
- Download the latest stable release of WWBN AVideo
- Deploy the update following the official upgrade documentation
- If manual patching is required, open plugin/Live/uploadPoster.php
- Insert the authorization block verifying $ls->getUsers_id() against User::getId()
- Save the file and verify standard upload functionality works for legitimate stream owners
References
Read the full report for CVE-2026-34247 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)