CVE-2026-34731 Overview
WWBN AVideo, an open source video platform, contains a missing authentication vulnerability in the Live plugin that allows unauthenticated attackers to terminate any active live stream. The on_publish_done.php endpoint processes RTMP callback events to mark streams as finished in the database but performs no authentication or authorization checks before doing so. This vulnerability enables complete denial-of-service against all live streaming functionality on affected AVideo installations.
Critical Impact
Unauthenticated attackers can enumerate active stream keys and terminate any live broadcast on the platform, causing complete disruption of live streaming services.
Affected Products
- WWBN AVideo versions 26.0 and prior
- AVideo Live Plugin (all versions through 26.0)
- Self-hosted AVideo instances with Live streaming enabled
Discovery Timeline
- 2026-03-31 - CVE-2026-34731 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34731
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The AVideo platform's Live plugin exposes the on_publish_done.php endpoint which is designed to handle RTMP server callbacks when a stream ends. However, this endpoint lacks any authentication or authorization mechanisms, allowing any unauthenticated user to invoke it directly.
The attack chain involves two unauthenticated endpoints working in conjunction. First, an attacker can access the stats.json.php endpoint to enumerate all currently active stream keys on the platform. With this information, the attacker then crafts POST requests to on_publish_done.php with the target stream key, causing the platform to mark those streams as finished in the database—effectively terminating live broadcasts without any credentials.
Root Cause
The root cause is the absence of authentication controls on the on_publish_done.php endpoint within the Live plugin. The endpoint was designed to receive callbacks from the RTMP streaming server but fails to validate that incoming requests originate from a trusted source. Additionally, the stats.json.php endpoint exposes sensitive stream key information without requiring authentication, enabling attackers to easily identify targets.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can remotely exploit this vulnerability by:
- Querying the unauthenticated stats.json.php endpoint to enumerate active stream keys
- Sending crafted POST requests to on_publish_done.php with the discovered stream keys
- The server processes these requests without verification, terminating the targeted live streams
The vulnerability mechanism centers on the lack of request origin validation. When the on_publish_done.php endpoint receives a request containing a valid stream key, it immediately updates the database to mark that stream as finished. The endpoint does not verify whether the request originated from the legitimate RTMP server or from a malicious external source. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34731
Indicators of Compromise
- Unexpected HTTP POST requests to /plugin/Live/on_publish_done.php from external IP addresses
- Multiple rapid requests to stats.json.php followed by requests to on_publish_done.php
- Sudden termination of multiple live streams without broadcaster-initiated endings
- Access logs showing unauthenticated requests to Live plugin endpoints from suspicious sources
Detection Strategies
- Monitor web server access logs for unusual patterns of requests to /plugin/Live/on_publish_done.php from non-RTMP server IPs
- Implement web application firewall (WAF) rules to detect and block direct external access to RTMP callback endpoints
- Set up alerting for unexpected stream termination events in application logs
- Review database audit logs for rapid stream status changes not correlated with normal broadcast endings
Monitoring Recommendations
- Configure real-time alerting for access attempts to on_publish_done.php from IP addresses outside the trusted RTMP server range
- Implement rate limiting and anomaly detection on Live plugin endpoints
- Monitor for enumeration activity against stats.json.php such as repeated requests from single sources
- Establish baseline metrics for normal stream termination patterns to identify anomalous activity
How to Mitigate CVE-2026-34731
Immediate Actions Required
- Restrict network access to on_publish_done.php and stats.json.php endpoints using firewall rules or web server configuration
- Configure access control lists (ACLs) to allow only the RTMP streaming server IP address to access callback endpoints
- Consider temporarily disabling the Live plugin if live streaming is not critical to operations
- Implement IP-based allowlisting at the web server or reverse proxy level for Live plugin endpoints
Patch Information
At time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates from the WWBN AVideo project regarding official fixes.
Workarounds
- Use web server configuration (Apache .htaccess or Nginx location blocks) to restrict access to Live plugin endpoints to trusted IP addresses only
- Deploy a reverse proxy or WAF to filter requests to vulnerable endpoints based on source IP
- Implement custom authentication wrapper scripts that validate requests before passing them to the vulnerable endpoints
- If possible, place the AVideo installation behind a VPN or private network segment for administrative and streaming functions
# Nginx configuration example - restrict access to Live plugin callbacks
location /plugin/Live/on_publish_done.php {
allow 192.168.1.100; # RTMP server IP
deny all;
}
location /plugin/Live/stats.json.php {
allow 192.168.1.0/24; # Internal network only
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
