Description
AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.
Published: 2026-06-20
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can trick the Meet plugin into authenticating as any user by uploading a file whose name contains an arbitrary user identifier. The uploaded filename is used to call User->login() without verifying that the requester is authorized to act as that user. This bypass allows the attacker to obtain a fully authenticated session, essentially hijacking the account and gaining all privileges it entails.

Affected Systems

AVideo installations up to and including version 29.0 are vulnerable. The exploit targets the uploadRecordedVideo.json.php endpoint in the Meet plugin, which is present in all releases of AVideo through 29.0.

Risk and Exploitability

The CVSS score of 9.2 identifies this as a critical flaw. Although the EPSS score is not available, the vulnerability is not listed in CISA's KEV catalogue. Successful exploitation requires knowledge of the Meet shared secret, which an attacker can obtain via existing path‑traversal or timing attacks against the checkToken.json.php endpoint. Once the secret is known, the attacker can craft a malicious POST request with a filename such as "1‑anything.mp4" to hijack an admin session and perform a full account takeover.

Generated by OpenCVE AI on June 20, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version that removes the vulnerability in uploadRecordedVideo.json.php
  • If an upgrade is not immediately possible, restrict or disable the uploadRecordedVideo.json.php endpoint and prevent unauthenticated file uploads or modify the code so the filename does not provide the user ID
  • Secure the Meet shared secret by encrypting it and limiting exposure; restrict access to checkToken.json.php to trusted administrators only

Generated by OpenCVE AI on June 20, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.
Title AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint
First Time appeared Wwbn
Wwbn avideo
Weaknesses CWE-287
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T02:38:32.930Z

Reserved: 2026-06-20T18:13:07.363Z

Link: CVE-2026-56345

cve-icon Vulnrichment

Updated: 2026-06-23T02:38:28.728Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:30:02Z

Weaknesses