Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.
Published: 2026-03-23
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via Live Stream Control
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the live stream control endpoint of the AVideo platform, allowing an attacker to supply a custom streamerURL parameter that redirects token verification to an attacker‑controlled server. The controlled server can always return a success response, effectively bypassing authentication and granting unauthenticated users the ability to drop live publishers, start or stop recordings, and probe the existence of streams. This flaw provides direct, disruptive control over live video streams, potentially impacting availability, integrity, and the integrity of content delivery.

Affected Systems

The flaw affects versions of AVideo up to and including 26.0, specifically the plugin located at plugin/Live/standAloneFiles/control.json.php. All installations of the AVideo open‑source video platform deploying this endpoint are susceptible unless upgraded beyond the vulnerable version.

Risk and Exploitability

The CVSS base score of 9.4 indicates critical severity, while an EPSS score of less than 1% suggests the exploit probability is currently low. However, the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploit yet. The most likely attack vector is a remote unauthenticated HTTP request to the vulnerable endpoint; an attacker only needs to craft a request containing a forged streamerURL. Once exploited, the attacker gains extensive control over live streams, posing a high risk to operational continuity.

Generated by OpenCVE AI on March 25, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version newer than 26.0 or apply the patch commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128
  • Verify that the control.json.php endpoint no longer accepts arbitrary streamerURL values
  • Monitor AVideo deployments and vendor advisories for additional patches or workarounds

Generated by OpenCVE AI on March 25, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9hv9-gvwm-95f2 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.
Title AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:25:27.605Z

Reserved: 2026-03-23T17:06:05.748Z

Link: CVE-2026-33716

cve-icon Vulnrichment

Updated: 2026-03-24T14:25:22.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:42.323

Modified: 2026-03-25T15:05:05.063

Link: CVE-2026-33716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:03Z

Weaknesses