Description
WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.
Published: 2026-03-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking, admin impersonation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in allowing unauthenticated access to a memcached instance that stores PHP session data. An attacker who can reach the exposed port can read, modify, or delete session entries, enabling hijacking of authenticated users and impersonation of administrators without any application‑level authentication. This results in potential compromise of confidentiality, integrity, and availability of all active sessions.

Affected Systems

Any installation of WWBN AVideo using the official Docker image prior to version 24.0 where the default docker‑compose configuration publishes port 11211 to the host and no authentication is required for memcached. Systems relying on Docker or similar setups that expose the memcached service externally are directly affected.

Risk and Exploitability

The CVSS score of 8.1 categorises this as a high‑severity flaw, and the low EPSS value (<1%) indicates a small current exploitation probability; however, the impact of a single exercise is significant. The flaw is not in the CISA KEV catalogue. Exploitation requires simple interaction with the memcached protocol over a publicly reachable port, typically via a machine on the same network or with direct external access. Successful exploitation yields full session control, allowing attackers to impersonate users, elevate privileges to admin, or perform mass session invalidation. No specific privileges are required beyond network connectivity to the port.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 24.0 or later, which eliminates the exposed memcached session store.
  • If an upgrade is not immediately possible, reconfigure the Docker deployment so that the memcached port is bound only to localhost or another trusted interface, and block external access with firewall rules.
  • Configure PHP to store session data in a backend that requires authentication or in the default filesystem, and remove the dependency on memcached for session storage.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xxpw-32hf-q8v9 AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
History

Mon, 16 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.
Title WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
Weaknesses CWE-287
CWE-668
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:10:12.415Z

Reserved: 2026-03-03T21:54:06.707Z

Link: CVE-2026-29093

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:31.430Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T04:16:08.940

Modified: 2026-03-16T14:49:52.763

Link: CVE-2026-29093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses