AVideo <=29.0 Auth Bypass in Meet Plugin uploadRecordedVideo.json.php
CVE-2026-56345 Published on June 20, 2026
AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint
AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.
Vulnerability Analysis
CVE-2026-56345 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-56345 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2026-56345
Want to know whenever a new CVE is published for Wwbn Avideo? stack.watch will email you.
Affected Versions
AVideo:- Before and including 29.0 is affected.