CVE-2026-56345 Overview
CVE-2026-56345 is an authorization bypass vulnerability in AVideo through version 29.0. The flaw resides in the Meet plugin's uploadRecordedVideo.json.php endpoint, which extracts the target users_id directly from the uploaded filename without validation. An attacker with knowledge of the Meet shared secret can craft a file upload whose filename contains an arbitrary users_id, triggering a passwordless User->login() call. The resulting authenticated session can impersonate any account, including administrators. The weakness is classified under [CWE-287] Improper Authentication.
Critical Impact
Attackers who obtain the Meet shared secret can hijack any AVideo account, including admin, by uploading a file with a crafted filename.
Affected Products
- AVideo (WWBN) through version 29.0
- AVideo Meet plugin component
- Endpoints uploadRecordedVideo.json.php and checkToken.json.php
Discovery Timeline
- 2026-06-20 - CVE-2026-56345 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-56345
Vulnerability Analysis
The AVideo Meet plugin exposes uploadRecordedVideo.json.php to receive recordings produced by the meeting feature. The endpoint parses the incoming filename to determine the owning user account. Specifically, it interprets the leading numeric segment of the filename as a users_id value and then invokes User->login() against that identifier without verifying credentials. The login function trusts the caller and establishes an authenticated PHP session bound to the supplied account. Because the endpoint accepts any filename pattern matching <users_id>-<arbitrary>.mp4, an attacker can request a session for the admin account (typically users_id=1) by uploading a file named 1-anything.mp4.
Root Cause
The root cause is missing authentication on a privileged state transition. The endpoint relies solely on possession of the Meet shared secret as an authorization signal and then derives identity from attacker-controlled input. There is no cryptographic binding between the shared secret, the uploading principal, and the users_id parsed from the filename. This combination collapses authentication into a single trusted string [CWE-287].
Attack Vector
Exploitation requires the Meet shared secret. According to the advisories, this secret can be obtained through path-traversal vulnerabilities or through timing attacks against checkToken.json.php. Once the secret is known, the attacker issues an HTTP POST request to uploadRecordedVideo.json.php with multipart form data containing a video file whose filename begins with the target users_id. The server processes the upload, calls User->login() for that ID, and returns a session cookie. The attacker then reuses the cookie to access the application as the impersonated user.
No verified proof-of-concept code is published. Refer to the GitHub Security Advisory and the VulnCheck Advisory on AVideo for technical details.
Detection Methods for CVE-2026-56345
Indicators of Compromise
- POST requests to /plugin/Meet/uploadRecordedVideo.json.php with filenames beginning with a numeric prefix followed by a dash, particularly 1-*.mp4.
- Repeated, narrowly timed requests to /plugin/Meet/checkToken.json.php consistent with timing-attack enumeration of the shared secret.
- Path-traversal request patterns such as ../ or encoded variants targeting AVideo configuration files that store the Meet shared secret.
- New authenticated sessions for privileged accounts immediately following an upload request from an unrecognized source IP.
Detection Strategies
- Inspect web server access logs for uploads to the Meet plugin that originate outside expected meeting workflows, then correlate with subsequent privileged actions in the same session.
- Alert when a session cookie issued to an admin account is bound to an IP address or User-Agent that has no prior authentication history.
- Apply web application firewall rules that block uploads to uploadRecordedVideo.json.php where the filename does not match the format produced by the legitimate Meet client.
Monitoring Recommendations
- Centralize AVideo PHP logs, web server logs, and authentication events for correlation across upload, token-check, and session-creation activity.
- Track baseline request volumes to checkToken.json.php and alert on sustained anomalies that may indicate timing-based secret recovery.
- Monitor administrator account activity for logins immediately preceded by file uploads from the same client.
How to Mitigate CVE-2026-56345
Immediate Actions Required
- Upgrade AVideo beyond version 29.0 once a fixed release is published by WWBN, per the GitHub Security Advisory.
- Disable the Meet plugin on internet-exposed AVideo instances until the patch is applied.
- Rotate the Meet shared secret and any administrator credentials that may have been used during the exposure window.
- Review session and audit logs for unauthorized admin logins and revoke active sessions for privileged accounts.
Patch Information
The project maintainers, WWBN, track the issue in GHSA-qxvm-r42f-5p8j. Apply the fixed version referenced in that advisory as soon as it is available. Validate that uploadRecordedVideo.json.php no longer derives users_id from the uploaded filename and that checkToken.json.php uses constant-time comparison for the shared secret.
Workarounds
- Restrict network access to /plugin/Meet/uploadRecordedVideo.json.php and /plugin/Meet/checkToken.json.php to trusted Meet infrastructure only.
- Remove or rename the Meet plugin directory on servers that do not require meeting functionality.
- Enforce strict filename validation at a reverse proxy by rejecting uploads whose filenames begin with a numeric prefix and a dash.
- Place AVideo behind an authenticated reverse proxy to block unauthenticated traffic to plugin endpoints.
# Configuration example: nginx rules to block exploitation paths
location = /plugin/Meet/uploadRecordedVideo.json.php {
# Reject filenames that begin with <digits>- which trigger the auth bypass
if ($request_body ~* "filename=\"[0-9]+-") {
return 403;
}
allow 10.0.0.0/8; # trusted Meet backend only
deny all;
}
location = /plugin/Meet/checkToken.json.php {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

