GHSA-QXVM-R42F-5P8J: Authentication Bypass via Meet Plugin in AVideo
Vulnerability ID: GHSA-QXVM-R42F-5P8J
CVSS Score: 9.8
Published: 2026-05-15
AVideo is vulnerable to a critical authentication bypass within the Meet plugin. An attacker possessing the Meet shared secret can impersonate any user, including administrators, by supplying a crafted filename to the video upload endpoint, leading to complete system compromise.
TL;DR
A flaw in AVideo's Meet plugin allows authentication bypass and arbitrary user impersonation. By exploiting an insecure passwordless login mechanism linked to video file uploads, an attacker can obtain administrative access.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-287 / CWE-288 / CWE-306
- Attack Vector: Network
- Authentication: Shared Secret Required
- Impact: Administrative Privilege Escalation
- Exploit Status: Proof of Concept
- Vulnerable Component: uploadRecordedVideo.json.php
Affected Systems
- AVideo (formerly YouPHPTube)
- AVideo Meet Plugin
-
AVideo Meet Plugin: All unpatched versions (Fixed in:
Latest repository commit)
Mitigation Strategies
- Update AVideo and the Meet plugin to the latest available releases.
- Rotate the Meet shared secret to a newly generated, highly entropic value.
- Restrict access to the
uploadRecordedVideo.json.phpendpoint via WAF or web server configuration to authorized meeting infrastructure IP addresses only.
Remediation Steps:
- Navigate to the AVideo administration panel and review installed plugins.
- Pull the latest codebase from the WWBN/AVideo master branch or apply the latest release tags.
- Access the Meet plugin configuration and generate a new random string for the 'Meet shared secret'.
- Update all authorized meeting instances with the newly generated secret.
- Restart the web service to clear any active sessions potentially established by attackers.
References
Read the full report for GHSA-QXVM-R42F-5P8J on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)