CVE-2026-34247
Received Received - Intake
Insecure Direct Object Reference in WWBN AVideo Live Poster Upload

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a `socketLiveOFFCallback` notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34247
EUVD
EUVD-2026-16717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34247 is an Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform, specifically in the endpoint `plugin/Live/uploadPoster.php`. This endpoint allows any authenticated user to overwrite the poster image of any scheduled live stream by supplying an arbitrary `live_schedule_id` without verifying that the user owns the targeted live schedule.

The vulnerability exists because the endpoint only checks if the user is logged in but does not check if the user is authorized to modify the specific live schedule. After overwriting the poster, the endpoint broadcasts a notification containing the victim's broadcast key and user ID to all connected WebSocket clients, leaking sensitive information.

Attackers can enumerate schedule IDs easily because they are sequential integers, making it trivial to target any scheduled live stream.

Impact Analysis

This vulnerability can impact you in several ways:

  • Unauthorized users can overwrite poster images of scheduled live streams, enabling content tampering such as defacement or phishing.
  • Viewers may receive false offline notifications due to the broadcast of a 'socketLiveOFFCallback' message, disrupting the victim's audience.
  • Sensitive information such as broadcast keys and user IDs are leaked to all connected WebSocket clients, leading to information disclosure.
  • Attackers can enumerate and target all scheduled streams due to predictable schedule IDs, increasing the attack surface.
Detection Guidance

This vulnerability can be detected by monitoring requests to the endpoint `plugin/Live/uploadPoster.php` for unauthorized attempts to overwrite live stream posters using arbitrary `live_schedule_id` values.

A proof of concept involves sending a POST request to this endpoint with a chosen `live_schedule_id` and a malicious image file to see if the poster is overwritten without authorization errors.

To detect exploitation attempts on your system, you can use network monitoring or web server logs to identify POST requests to `plugin/Live/uploadPoster.php` with varying `live_schedule_id` parameters.

  • Use tools like curl to test the endpoint manually: curl -X POST -F "live_schedule_id=<id>" -F "[email protected]" https://your-avideo-domain/plugin/Live/uploadPoster.php -b cookies.txt
  • Check web server access logs for suspicious POST requests to `plugin/Live/uploadPoster.php` with different `live_schedule_id` values.
  • Monitor WebSocket traffic for unexpected `socketLiveOFFCallback` notifications that include broadcast keys and user IDs, which may indicate exploitation.
Mitigation Strategies

The immediate mitigation step is to apply the patch that adds proper authorization checks in the `plugin/Live/uploadPoster.php` endpoint.

Specifically, after verifying that the user is logged in, the system should verify that the authenticated user either owns the targeted live schedule or is an administrator before allowing the poster to be overwritten.

If you cannot immediately patch, consider restricting access to the vulnerable endpoint to trusted users only or disabling it temporarily.

  • Apply the fix from commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 which adds ownership and admin checks.
  • Monitor and audit usage of the `plugin/Live/uploadPoster.php` endpoint for suspicious activity.
Compliance Impact

The vulnerability allows unauthorized disclosure of sensitive information such as broadcast keys and user IDs to all connected WebSocket clients. This information disclosure could potentially violate data protection principles found in regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Additionally, the ability for attackers to tamper with scheduled live stream posters and send false notifications could lead to misinformation and phishing risks, which may indirectly impact compliance with standards that mandate integrity and security of user data and communications.

However, the CVE description and resources do not explicitly mention compliance with any specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart