CVE-2026-56345
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
AVideo through version 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint. An attacker can exploit a crafted file upload to gain access to any user's session, including admin.
Risk Assessment
This vulnerability poses a significant risk of account takeover, potentially leading to unauthorized access to sensitive data and administrative functions within the system.
Recommendation
It is recommended to update AVideo to the latest version and implement additional verification mechanisms for file uploads to mitigate this vulnerability.
Original NVD description (English source)
AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.

