Executive Summary

CVE-2026-56345 is an authorization bypass vulnerability in the AVideo Meet plugin's uploadRecordedVideo.json.php endpoint. The endpoint derives the target user's ID from the uploaded filename without proper verification. An attacker who knows the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary user ID. This triggers a passwordless login function that creates an authenticated session as that user, including administrators.

The attacker can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against another endpoint (checkToken.json.php). Once the secret is known, the attacker uploads a file with a filename like '1-anything.mp4' to hijack the admin session and gain full account takeover.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to bypass authentication and impersonate any user, including administrators, without needing a password.

• Full account takeover of targeted users.
• Compromise of confidentiality, integrity, and availability of user accounts and potentially the entire system.
• Attackers can establish persistent authenticated sessions, enabling long-term unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious POST requests to the Meet plugin's uploadRecordedVideo.json.php endpoint with filenames containing arbitrary user IDs.

Specifically, look for upload attempts where the filename includes patterns like '1-anything.mp4' or '1-admin.mp4', which indicate attempts to hijack sessions by impersonating user ID 1 (commonly the admin).

Additionally, detection can include checking for unusual access or timing attacks against the checkToken.json.php endpoint, which could indicate attempts to extract the Meet shared secret.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to uploadRecordedVideo.json.php and inspect filenames.
• Example command to capture suspicious uploads with tcpdump: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'uploadRecordedVideo.json.php'
• Use web server logs to search for POST requests with filenames matching regex patterns like '^\d+-.*\.mp4$' which may indicate exploitation attempts.
• Monitor for timing attack patterns or abnormal request rates to checkToken.json.php endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Meet plugin's uploadRecordedVideo.json.php endpoint and the checkToken.json.php endpoint to trusted users or IP addresses.

Ensure that the Meet shared secret is kept confidential and rotate it if there is any suspicion it has been compromised.

Apply patches or updates provided by the AVideo project that remove session creation from the uploadRecordedVideo.json.php endpoint and validate the users_id from a signed claim rather than the filename.

If patches are not immediately available, consider disabling the Meet plugin or the vulnerable endpoints temporarily to prevent exploitation.

Enhance monitoring and logging to detect exploitation attempts and respond quickly.

Useful 0 Not Useful 0