CVE-2026-35179

AVideo versions 26.0 and prior are affected by an issue in the SocialMediaPublisher plugin. The publishInstagram.json.php endpoint functions as an unauthenticated proxy to the Facebook/Instagram Graph API. This endpoint accepts user-controlled parameters, including the accessToken, containerId, and instagramAccountId, and directly passes them to the Graph API via the InstagramUploader::publishMediaIfIsReady() function. This allows unauthenticated users to make arbitrary Graph API calls through the server, potentially using stolen tokens or the platform's own credentials. The endpoint lacks authorization checks, unlike other endpoints in the same plugin that require user login or administrator privileges. An attacker can leverage this to publish, modify, or delete content on the platform's Instagram account. The server's IP address is used for the API calls, potentially bypassing rate limits or IP-based restrictions on the Graph API.

Recommendations: Add an administrator authorization check at the top of plugin/SocialMediaPublisher/publishInstagram.json.php:10, consistent with the refresh.json.php endpoint. This will restrict access to the endpoint to administrator users only.