CVE-2026-34368 - Vulnerability Details

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.

Published: 2026-03-27

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a time‑of‑check time‑of‑use race condition in the transferBalance method of the YPTWallet plugin. An attacker running multiple authenticated sessions can trigger simultaneous transfer requests. Each request reads the sender's wallet balance before the balance is actually deducted, ensuring that all balance checks succeed. The deduction is applied only once, while the recipient receives the full amount for each request, effectively creating a double‑spend. This leads to unauthorized financial loss for the sender and possible over‑crediting for the recipient.

Affected Systems

Affected products are WWBN AVideo versions 26.0 and earlier, specifically the YPTWallet plugin's transferBalance function. All deployments of this open source video platform before the referenced commit lack transaction protection or row‑level locking.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and no EPSS score is available, making it unclear how frequently attackers target this flaw. The issue is not listed in the CISA KEV catalog, suggesting no publicly known exploitation. The likely attack vector requires an attacker to be authenticated and to manage multiple sessions or parallel requests against the same account, which can be achieved through standard web interactions. Because the vulnerability depends on race timing and concurrent access, it is less likely to be easily exploited but still poses a financial risk if used by a determined adversary.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the fix from commit 34132ad5159784bfc7ba0d7634bb5c79b769202d, which adds proper transaction handling or locking within the transferBalance method.
Upgrade AVideo to the latest released version that includes the patched plugin.
If an immediate upgrade is not possible, restrict concurrent balance transfer operations by implementing application‑level locking or disabling simultaneous transfers for the same user.
Verify that wallet operations are now protected by database transactions or row‑level locks to prevent further race conditions.

Generated by OpenCVE AI on March 27, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d
https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr

History

Fri, 27 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.
Title		AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
Weaknesses		CWE-362
References		https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T18:12:18.760Z

Updated: 2026-03-27T18:12:18.760Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34368

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T18:16:05.723

Modified: 2026-03-27T18:16:05.723

Link: CVE-2026-34368

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:51Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object