CVE-2026-34368
TOCTOU Race Condition in WWBN AVideo Wallet Enables Double Credit
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34368 is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability in the WWBN AVideo platform's wallet transfer function. The `transferBalance()` method reads the sender's wallet balance, checks if there are sufficient funds, and then updates the balances without using database transactions or row-level locking.
Because of this, an attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently. This results in only one deduction from the sender's wallet but multiple credits to the recipient's wallet, effectively creating money from nothing.
The vulnerability also involves flawed captcha validation where the captcha token is not properly invalidated after use, allowing replay attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a race condition in the wallet balance transfer process that can be exploited by sending multiple concurrent transfer requests from multiple authenticated sessions. Detection involves monitoring for unusual concurrent wallet transfer requests from the same user or multiple sessions.
Since the vulnerability arises from concurrent requests exploiting the lack of database transaction locking, you can detect it by observing multiple simultaneous POST requests to the wallet transfer endpoint (likely related to the transferBalance() method in plugin/YPTWallet/YPTWallet.php) from the same user or IP.
Suggested commands to detect suspicious activity include:
- Use web server logs (e.g., Apache or Nginx) to search for multiple concurrent POST requests to the wallet transfer URL within a short time frame from the same user or IP.
- Example command to check for rapid repeated POST requests (adjust path and log file as needed):
- grep 'POST /plugin/YPTWallet/transferFunds.php' /var/log/nginx/access.log | awk '{print $1, $4, $7}' | sort | uniq -c | sort -nr | head
- Monitor database logs or enable query logging to detect multiple concurrent SELECT or UPDATE queries on the wallet table for the same user.
- Use application-level logging to detect multiple wallet transfer requests from the same user within a very short time window.
Note: The vulnerability requires multiple authenticated sessions, so monitoring for multiple simultaneous sessions from the same user may also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the WWBN AVideo platform to a version that includes the fix (commit 34132ad5159784bfc7ba0d7634bb5c79b769202d or later). This fix implements database transactions with row-level locking to prevent the race condition.
- Ensure that the wallet transfer logic uses atomic database transactions with SELECT ... FOR UPDATE locking on both sender and receiver wallet rows to prevent concurrent inconsistent updates.
- Apply the patch that unsets the captcha token stored in the session after successful validation to prevent captcha token reuse and replay attacks.
- Modify the frontend to reload the captcha after each transfer attempt, regardless of success or failure, to maintain captcha integrity.
- If immediate patching is not possible, consider temporarily restricting concurrent wallet transfer requests from the same user or IP, or implementing additional rate limiting and monitoring to detect suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-34368 allows authenticated attackers to manipulate wallet balances by exploiting a race condition, leading to unauthorized balance inflation and financial integrity compromise.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity breach in financial transactions could indirectly impact regulatory compliance related to financial data accuracy and fraud prevention.
Specifically, the ability to create funds from nothing and bypass pay-per-view charges or subscription fees undermines trust and accountability, which are important aspects of many regulatory frameworks.
However, there is no direct information provided about effects on personal data protection or privacy regulations like GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to inflate wallet balances arbitrarily by exploiting the race condition in concurrent transfer requests.
- Attackers can bypass pay-per-view charges and subscription fees by creating multiple sessions and transferring funds concurrently.
- It compromises the financial integrity of the system by desynchronizing total wallet balances from actual deposits.
- The attacker can create funds out of thin air, leading to potential financial losses for the platform or other users.