CVE-2026-56342 Overview
CVE-2026-56342 is a Server-Side Request Forgery (SSRF) vulnerability affecting AVideo through version 27.0. The flaw resides in plugin/Live/test.php, where the statsURL parameter accepts user-supplied URLs without invoking the isSSRFSafeURL() validation routine. Authenticated administrators can direct the server to issue HTTP requests to arbitrary destinations, including private IP ranges, localhost, and cloud metadata services. Successful exploitation allows attackers to read responses from internal services and retrieve sensitive data such as IAM credentials from the AWS metadata endpoint at 169.254.169.254. The weakness is classified under CWE-918.
Critical Impact
Authenticated administrators can pivot through the AVideo server to reach internal infrastructure and cloud metadata endpoints, exposing IAM credentials and internal service data.
Affected Products
- AVideo (WWBN) through version 27.0
- plugin/Live/test.php component
- Deployments running on cloud providers exposing instance metadata services
Discovery Timeline
- 2026-06-20 - CVE-2026-56342 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-56342
Vulnerability Analysis
The vulnerability exists in the plugin/Live/test.php endpoint of AVideo. The script accepts a statsURL parameter and uses it to issue an outbound HTTP request from the AVideo server. Other AVideo components validate outbound URLs through a helper named isSSRFSafeURL(), which filters loopback addresses, RFC 1918 ranges, and link-local metadata endpoints. The test.php handler omits this check entirely.
Because the request originates from the AVideo host, the destination sees the application server as the client. This permits the attacker to reach services bound to internal interfaces and addresses that are otherwise unreachable from the public internet. Exploitation requires administrator-level authentication, which limits the population of attackers but does not prevent compromised or insider abuse.
Root Cause
The root cause is missing input validation on a user-controlled URL parameter [CWE-918]. The statsURL value flows directly into the server-side HTTP client without allowlisting schemes, blocking private address space, or invoking the existing isSSRFSafeURL() sanitizer used elsewhere in the codebase.
Attack Vector
An authenticated administrator submits a crafted request to plugin/Live/test.php with statsURL set to an internal target. Common targets include http://127.0.0.1, internal RFC 1918 hosts, and the cloud instance metadata endpoint http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server fetches the URL and returns the response body to the caller, enabling exfiltration of IAM tokens, internal API responses, and network reconnaissance data. See the GitHub Security Advisory and the VulnCheck Security Advisory for additional technical context.
Detection Methods for CVE-2026-56342
Indicators of Compromise
- Web server access logs containing requests to plugin/Live/test.php with a statsURL query parameter referencing private IPs, localhost, 127.0.0.1, or 169.254.169.254
- Outbound connections from the AVideo host to cloud metadata endpoints not previously observed
- Unexpected HTTP traffic from the AVideo server to internal management interfaces or databases
Detection Strategies
- Inspect HTTP request logs for the statsURL parameter and flag values resolving to non-routable address space
- Correlate AVideo administrator session activity with outbound network flows to internal subnets
- Alert on AVideo process connections to 169.254.169.254 or other link-local addresses
Monitoring Recommendations
- Enable egress logging on hosts running AVideo and forward network telemetry to a centralized analytics platform
- Apply cloud provider Instance Metadata Service v2 (IMDSv2) enforcement and monitor metadata token requests
- Audit administrator account usage and review web application firewall (WAF) logs for SSRF payload patterns
How to Mitigate CVE-2026-56342
Immediate Actions Required
- Restrict administrator access to AVideo and rotate any administrator credentials suspected of compromise
- Enforce IMDSv2 on AWS instances hosting AVideo to block unauthenticated metadata retrieval via SSRF
- Block outbound traffic from AVideo hosts to 169.254.169.254 and other internal management addresses at the network layer
Patch Information
At the time of publication, no fixed version has been listed in the NVD entry. Monitor the GitHub Security Advisory GHSA-wxjx-r2j2-96fx for an upstream patch and apply the vendor-supplied update once available. Until then, treat AVideo deployments through version 27.0 as vulnerable.
Workarounds
- Place AVideo behind a WAF rule that rejects requests to plugin/Live/test.php containing statsURL values pointing to private or link-local addresses
- Run AVideo in a network segment without route access to cloud metadata services and internal management planes
- Apply egress allowlisting so the AVideo host can only reach explicitly approved external endpoints
# Example iptables egress restriction blocking cloud metadata access
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

