Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unauthorized termination of live streams
Action: Apply Patch ASAP
AI Analysis

Impact

The vulnerability is in the on_publish_done.php endpoint of the Live plugin for WWBN AVideo. The endpoint processes RTMP callback events to mark streams as finished but performs no authentication or authorization. As a result, any user can send a crafted HTTP POST request to terminate any active live broadcast. The weakness corresponds to missing authentication checks (CWE‑306) and leads to denial of service for broadcasters and viewers.

Affected Systems

The issue affects WWBN AVideo versions 26.0 and earlier. Administrators running those releases, especially those with the Live plugin enabled, are exposed. The unauthenticated stats.json.php endpoint also allows enumeration of active stream keys, which is required to successfully trigger the termination.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the low exploit probability suggests current attacks are unlikely. The vulnerability is not listed in a major exploited vulnerability catalog. The attack requires no privileged access: an external attacker can discover active stream keys through an unsecured API, then post to on_publish_done.php and immediately halt the broadcast. Because the endpoint accepts authenticated or unauthenticated traffic, the attack can be performed remotely from any network that reaches the AVideo server.

Generated by OpenCVE AI on April 2, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest AVideo release once a fix is available.
  • Restrict access to on_publish_done.php using firewall rules or by requiring authentication.
  • If live streaming is not needed, disable the Live plugin entirely.
  • Monitor HTTP traffic to on_publish_done.php for unusual termination requests.
  • Keep the AVideo platform and all related components regularly updated.

Generated by OpenCVE AI on April 2, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4jcg-jxpf-5vq3 AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.
Title AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:53:29.985Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34731

cve-icon Vulnrichment

Updated: 2026-04-01T15:47:43.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:31.760

Modified: 2026-04-01T18:37:42.803

Link: CVE-2026-34731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:39Z

Weaknesses