CVE-2026-29093

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 24.0

Description The AVideo application's official docker-compose.yml file publishes the memcached service on host port 11211 (0.0.0.0:11211) without authentication. The Dockerfile configures PHP to store all user sessions in this memcached instance. An attacker reaching port 11211 can read, modify, or flush session data, potentially enabling session hijacking, admin impersonation, and mass session destruction. Session data includes user IDs, admin flags, email addresses, and password hashes. The application stores complete authentication state in sessions, accessible via the exposed memcached port. The docker-compose.yml file demonstrates awareness of proper service isolation for database services, which are internal-only, but this is not applied to memcached. An attacker can enumerate session keys, read serialized PHP session data, hijack sessions, escalate privileges, or perform a denial of service by destroying all sessions.

Recommendations Versions prior to 24.0: Remove the port mapping from the memcached service in the docker-compose.yml file. Also remove MEMCACHE PORT=11211 from env.example.