HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56345Published Modified CNA VulnCheck

CVE-2026-56345: AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass vulnerability in the AVideo Meet plugin's uploadRecordedVideo.json.php endpoint allows a remote, unauthenticated attacker to hijack any user account, including administrator accounts. The endpoint derives a target user identity from an uploaded filename with no cryptographic verification of that identity, so an attacker who possesses the Meet shared secret can craft a filename like '1-anything.mp4' to trigger a passwordless login as any user. Successful exploitation gives the attacker a fully authenticated session, enabling complete account takeover. HarborGuard is tracking this advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-56345 is available across every HarborGuard environment. Affected image layers running AVideo at or below version 29.0 are matched against this CVE within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle AVideo.

Available
Triage

Triage is available with a CVSS v4.0 score of 9.2 (Critical), surfaced alongside each customer organization's compliance policy weighting to determine urgency and escalation path. Routing to the appropriate team inbox inside each customer org is handled automatically based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a corrected release. In the interim, compensating controls such as network-policy isolation of the Meet plugin endpoint, egress filtering, and feature-flag gating of the uploadRecordedVideo endpoint are surfaced as recommendations inside the advisory detail view.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the AVideo service via HTTP/HTTPS.

  • AuthenticationNot required

    No valid account or session token is needed; the attacker only needs the Meet shared secret, which can be obtained through separate path-traversal or timing-attack techniques against the same application.

  • Victim interactionNot required

    Exploitation is fully server-side; no victim needs to click a link or take any action for the attacker to hijack a session.

  • Attack complexityDetail

    Exploitation involves non-trivial preconditions, specifically obtaining the Meet shared secret through a separate path-traversal or timing attack, making reliable exploitation conditional on those environmental factors.

Blast Radius

  • Reads all data accessible to the hijacked account, including stored session tokens, private video content, and any admin-visible user records.
  • Modifies account settings, user roles, and application configuration as the hijacked admin user.
  • Crashes or disrupts service availability by abusing admin-level controls over the AVideo platform.
  • Pivots to further compromise by using admin credentials to install plugins or alter upload paths within the application.

How HarborGuard Handles This

Available on HarborGuard: images containing AVideo at or below version 29.0 are flagged at Critical severity (CVSS v4.0 9.2) and surfaced in each customer organization's vulnerability queue immediately upon advisory ingestion. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and a PR opened against affected workloads the moment a fix version is published. While waiting for an upstream fix, the advisory detail view surfaces compensating-control guidance including isolating the Meet plugin endpoint behind a network policy that restricts inbound access, applying egress filtering to limit lateral movement, and disabling or gating the uploadRecordedVideo.json.php endpoint at the reverse-proxy or application layer if the Meet recording feature is not actively required. Where compliance policy permits, customers can configure HarborGuard to re-run these checks on a rolling cadence so any upstream release is acted on with minimal delay.

See how HarborGuard automates this
Affected packages
  • AVideo / AVideo
    ≤ 29.0
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References