CVE-2026-56345 AVideo CVE debrief

Who should care

Defenders of AVideo installations, particularly those using the Meet plugin, should be aware of this vulnerability. The vulnerability allows for arbitrary user session hijacking, which can lead to full account takeover. AVideo users, administrators, and security teams should prioritize patching or mitigating this vulnerability to prevent potential attacks.

Technical summary

The vulnerability exists in the uploadRecordedVideo.json.php endpoint of the Meet plugin in AVideo. An attacker can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user, including admin. The Meet shared secret can be obtained through path-traversal vulnerabilities or timing attacks against checkToken.json.php. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High priority due to critical CVSS score and potential for full account takeover

Recommended defensive actions

• Apply patches or updates to AVideo and the Meet plugin to fix the vulnerability
• Review and update the Meet shared secret to prevent unauthorized access
• Implement compensating controls, such as monitoring and logging, to detect potential attacks
• Conduct a thorough inventory of AVideo installations and assess exposure to this vulnerability
• Review official advisories and vendor-supported remediation guidance

Evidence notes

The vulnerability is described in the CVE record and NVD detail pages. The Meet shared secret can be obtained through path-traversal vulnerabilities or timing attacks against checkToken.json.php. AVideo users should verify their installations and assess exposure to this vulnerability. The vulnerability has a CVSS score of 9.2 and is considered critical.

Official resources