CVE-2026-34247 Overview
WWBN AVideo is an open source video platform that contains a broken access control vulnerability in versions up to and including 26.0. The plugin/Live/uploadPoster.php endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary live_schedule_id. The endpoint only checks User::isLogged() but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a socketLiveOFFCallback notification containing the victim's broadcast key and user ID to all connected WebSocket clients.
Critical Impact
Authenticated attackers can manipulate other users' live stream poster images and leak sensitive broadcast keys and user IDs through WebSocket notifications.
Affected Products
- WWBN AVideo versions up to and including 26.0
- Installations using the Live plugin with uploadPoster.php endpoint
Discovery Timeline
- 2026-03-27 - CVE-2026-34247 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-34247
Vulnerability Analysis
This vulnerability represents a classic case of broken access control (CWE-862) where the application fails to perform adequate authorization checks. The affected endpoint plugin/Live/uploadPoster.php implements authentication verification through User::isLogged() but completely omits ownership validation for the targeted live schedule resource.
The vulnerability enables horizontal privilege escalation, allowing any authenticated user to modify resources belonging to other users. The secondary impact involves information disclosure through WebSocket broadcast, where the socketLiveOFFCallback notification inadvertently exposes the victim's broadcast key and user ID to all connected clients.
Root Cause
The root cause is missing authorization logic in the uploadPoster.php endpoint. The code checks whether a user is logged in but does not validate whether the authenticated user has permission to modify the specific live_schedule_id being targeted. This is a common Insecure Direct Object Reference (IDOR) pattern where user-supplied identifiers are trusted without ownership verification.
Attack Vector
The attack is network-based and requires low privileges (any authenticated user account). An attacker can:
- Obtain a valid session by logging into the AVideo platform
- Identify target live_schedule_id values belonging to other users
- Send crafted requests to plugin/Live/uploadPoster.php with arbitrary schedule IDs
- Overwrite victim's poster images and intercept leaked broadcast keys via WebSocket
The following patch demonstrates the authorization fix implemented in commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60:
die(json_encode($obj));
}
+if (!empty($live_schedule_id)) {
+ $ls = new Live_schedule($live_schedule_id);
+ if (!User::isAdmin() && $ls->getUsers_id() != User::getId()) {
+ $obj->msg = 'You cant edit this file';
+ die(json_encode($obj));
+ }
+}
+
$live = AVideoPlugin::loadPluginIfEnabled("Live");
if (empty($live)) {
Source: GitHub Commit Details
Detection Methods for CVE-2026-34247
Indicators of Compromise
- Unusual HTTP POST requests to plugin/Live/uploadPoster.php with live_schedule_id parameters not owned by the requesting user
- Multiple poster upload requests from a single user targeting different schedule IDs
- WebSocket socketLiveOFFCallback events containing broadcast keys being received by unexpected clients
- Log entries showing authenticated users accessing or modifying live schedules they do not own
Detection Strategies
- Implement web application firewall (WAF) rules to monitor requests to the uploadPoster.php endpoint
- Analyze application logs for patterns of users accessing multiple different live_schedule_id values
- Monitor WebSocket traffic for socketLiveOFFCallback messages and correlate with authorized recipients
- Deploy integrity monitoring on poster image files to detect unauthorized modifications
Monitoring Recommendations
- Enable detailed access logging for the Live plugin endpoints
- Set up alerts for high-frequency requests to uploadPoster.php from single user sessions
- Monitor for broadcast key exposure in WebSocket communications
- Implement user behavior analytics to identify horizontal access attempts across live schedules
How to Mitigate CVE-2026-34247
Immediate Actions Required
- Update WWBN AVideo to a version that includes commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60
- Review logs for any historical exploitation attempts targeting the uploadPoster.php endpoint
- Reset broadcast keys for any live schedules that may have been compromised
- Audit user accounts for suspicious activity patterns
Patch Information
The vulnerability is fixed in commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60. The patch adds proper authorization checks that verify the authenticated user either owns the targeted live schedule or has administrator privileges before allowing poster modifications. Organizations should upgrade to a version containing this fix.
For detailed patch information, see the GitHub Security Advisory GHSA-g3hj-mf85-679g.
Workarounds
- Restrict access to the plugin/Live/uploadPoster.php endpoint via web server configuration until patching is complete
- Implement additional authentication layers or IP-based access controls for the Live plugin
- Temporarily disable the Live plugin if live streaming functionality is not critical to operations
- Deploy a reverse proxy rule to validate ownership of live_schedule_id before requests reach the application
# Apache configuration to restrict access to uploadPoster.php
<Location /plugin/Live/uploadPoster.php>
# Temporarily restrict access until patch is applied
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
