Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-34731 describes a vulnerability within the AVideo onpublishdone.php endpoint of the Live plugin, permitting unauthorized users to prematurely end active live streams. This flaw stems from a lack of authentication or authorization checks when processing RTMP callback events, enabling attackers to disrupt live broadcasts. The vulnerability affects versions of AVideo up to 26.0, and a fix is available.
CVE-2026-34731 in AVideo's Live plugin allows unauthenticated users to terminate any active live stream. The onpublishdone.php endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks. This means an attacker can, without logging in, interrupt live broadcasts of other users. The impact is significant, potentially leading to loss of live content, disruption of important events, and reputational damage to the platform. The CVSS severity score is 7.5, indicating a high risk.
An attacker can exploit this vulnerability by first enumerating active stream keys using the stats.json.php endpoint, which is also accessible without authentication. Once the attacker knows the stream key, they can send carefully crafted POST requests to the onpublishdone.php endpoint to terminate the stream. The simplicity of the exploitation makes this vulnerability particularly concerning, as it can be easily exploited by attackers with basic technical skills. The lack of input validation in onpublishdone.php allows the attacker to control the outcome of the operation, terminating the desired stream.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
Currently, there is no official fix provided by the AVideo developer. The most effective immediate mitigation is to disable the Live plugin until an update is released. As a temporary measure, a Web Application Firewall (WAF) can be implemented to block POST requests to onpublishdone.php that do not originate from trusted sources. It is crucial to actively monitor server logs for suspicious activity related to this endpoint. Users of AVideo should stay informed about security updates and apply patches as soon as they become available. The lack of authentication in this endpoint represents a fundamental flaw that needs to be addressed by the developer.
No patches are available at the time of publication. It is recommended to disable the Live plugin until an update is released that fixes the vulnerability. Alternatively, authentication and authorization can be implemented in the on_publish_done.php endpoint to prevent unauthenticated users from terminating live broadcasts.
Vulnerability analysis and critical alerts directly to your inbox.
RTMP (Real-Time Messaging Protocol) is a multimedia streaming protocol commonly used for live video broadcasting.
If you are using the Live plugin from AVideo and have not applied any mitigation, your website is likely vulnerable.
Check your server logs for suspicious activity and consider disabling the Live plugin.
Currently, there are no specific tools for detecting this vulnerability, but generic web vulnerability scanners can be used.
There is no estimated release date for an official fix. Monitor AVideo developer communications.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.