CVE-2026-56345

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0

Description An authorization bypass exists in the Meet plugin's 'uploadRecordedVideo.json.php' endpoint. The system derives the target users id from the uploaded filename without proper verification. An attacker who possesses the Meet shared secret can upload a crafted file with a filename containing an arbitrary users id to trigger the login() function of the User class, establishing an authenticated session as any user, including the administrator. The Meet shared secret can be obtained via path-traversal vulnerabilities or timing attacks against the 'checkToken.json.php' endpoint. By sending a POST request to 'uploadRecordedVideo.json.php' with a filename such as '1-anything.mp4', an attacker can hijack administrative sessions and achieve full account takeover.

Recommendations Update to a version later than 29.0. As a temporary mitigation, restrict access to the 'uploadRecordedVideo.json.php' and 'checkToken.json.php' endpoints.