CVE-2026-34362

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description A flaw exists in AVideo where WebSocket tokens do not expire as intended due to a commented-out timeout validation within the verifyTokenSocket() function located in plugin/YPTSocket/functions.php. Tokens, generated with a 12-hour timeout, remain valid indefinitely, even after user accounts are deleted, banned, or demoted. Admin tokens grant access to real-time connection data for all online users, including IP addresses, browser information, and page locations. The getEncryptedInfo() function generates tokens with a 12-hour expiration using getToken(43200). The isAdmin claim within the token allows for amplification of the impact, as demoted administrators can retain permanent admin-level WebSocket access. The getClientsList message type allows users to enumerate connected users. The 10-minute inactivity timeout does not mitigate the issue.

Recommendations Uncomment the timeout enforcement in verifyTokenSocket() at plugin/YPTSocket/functions.php:77-80.