CVE-2026-34374 Overview
A critical SQL Injection vulnerability exists in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the Live_schedule::keyExists() method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists() when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to Live_schedule::keyExists() undoes this protection entirely.
This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the live_schedule_id parameter in the reminder function. This finding specifically targets the stream key lookup path used during RTMP publish authentication.
Critical Impact
Unauthenticated attackers can exploit this SQL injection vulnerability during RTMP publish authentication to extract sensitive data from the database or modify its contents, potentially compromising the entire video platform.
Affected Products
- WWBN AVideo versions up to and including 26.0
- All deployments using RTMP publish authentication functionality
- Self-hosted and cloud instances running vulnerable versions
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-34374 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-34374
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) affects the stream key authentication mechanism in WWBN AVideo. The vulnerability exists in the Live_schedule::keyExists() method, which is invoked as a secondary lookup when the primary parameterized query in LiveTransmition::keyExists() fails to find a matching stream key.
The fundamental issue is an inconsistent security pattern within the codebase. While the primary lookup function implements proper parameterized queries to prevent SQL injection, the fallback code path directly concatenates user-supplied stream key data into SQL queries without sanitization or parameterization.
The vulnerability can be exploited remotely without authentication during the RTMP publish authentication process. Successful exploitation could allow attackers to read sensitive database contents including user credentials, session tokens, and platform configuration data. Additionally, attackers may be able to modify or delete database records, potentially leading to complete platform compromise.
Root Cause
The root cause is improper input validation and inconsistent use of parameterized queries. The Live_schedule::keyExists() method directly interpolates the stream key parameter into a SQL query string rather than using prepared statements with parameter binding. This occurs despite the calling function (LiveTransmition::keyExists()) implementing proper parameterization for its own database queries, creating a false sense of security in the authentication flow.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can craft a malicious stream key containing SQL injection payloads and submit it during the RTMP publish authentication process. When the primary lookup returns no results, the system falls back to the vulnerable Live_schedule::keyExists() method, executing the attacker's injected SQL commands against the database.
The attacker can leverage standard SQL injection techniques including UNION-based injection to extract data, boolean-based blind injection for data enumeration, and time-based blind injection when direct output is not visible. As of time of publication, no patched versions are available.
Detection Methods for CVE-2026-34374
Indicators of Compromise
- Anomalous SQL error messages in application logs related to Live_schedule or stream key lookups
- Unusual database query patterns or unexpected query execution times during RTMP authentication
- Failed login attempts with stream keys containing SQL syntax characters (e.g., single quotes, UNION statements, comment markers)
- Database audit logs showing unexpected SELECT, UPDATE, or DELETE operations on user or configuration tables
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in RTMP stream key parameters
- Enable detailed database query logging and monitor for queries originating from the Live_schedule::keyExists() function containing suspicious patterns
- Deploy intrusion detection rules to identify SQL injection payloads in network traffic targeting the RTMP authentication endpoint
- Configure application-level monitoring to alert on SQL errors or exceptions during stream key validation
Monitoring Recommendations
- Review database query logs for any queries containing UNION, SELECT, or comment syntax within stream key values
- Monitor RTMP authentication endpoints for high volumes of failed authentication attempts
- Implement real-time alerting for SQL syntax errors occurring in the live streaming authentication modules
- Track database response times for anomalies that may indicate time-based SQL injection attempts
How to Mitigate CVE-2026-34374
Immediate Actions Required
- Restrict network access to RTMP authentication endpoints to trusted IP ranges where possible
- Implement a Web Application Firewall with SQL injection detection rules in front of the AVideo application
- Consider temporarily disabling the live streaming functionality if not critical to operations until a patch is available
- Review database permissions to ensure the application database user has minimal required privileges
Patch Information
As of time of publication, no patched versions are available from the vendor. Organizations should monitor the GitHub Security Advisory for updates on patch availability. In the interim, apply the workarounds and mitigations described below to reduce risk.
Workarounds
- Deploy a reverse proxy or WAF to filter and block requests containing SQL injection patterns in stream key parameters
- Implement input validation at the application layer to reject stream keys containing SQL metacharacters before they reach the vulnerable code path
- Apply network segmentation to limit direct access to the AVideo application and its database
- If source code modification is possible, update the Live_schedule::keyExists() method to use parameterized queries consistent with the calling function
# Example WAF rule configuration (ModSecurity)
# Block SQL injection patterns in RTMP stream key authentication
SecRule ARGS:key "@detectSQLi" "id:1001,phase:2,deny,status:403,log,msg:'SQL Injection attempt detected in stream key'"
SecRule ARGS:key "@rx (?i)(union|select|insert|update|delete|drop|--|;)" "id:1002,phase:2,deny,status:403,log,msg:'SQL keywords detected in stream key'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
