Intelligence
criticalVulnerabilityActive

AVideo Live Stream Authentication Bypass via Untrusted Token Verification Redirect

AVideo's live stream control endpoint accepts user-supplied URLs for token verification, allowing attackers to redirect authentication checks to attacker-controlled servers that approve all tokens. This completely bypasses stream access controls without credentials.

S
Sebastion

CVE References

CVE-2026-33716

Affected

AVideo/AVideo

Vulnerability Description

This is a critical authentication bypass stemming from unsafe input validation in the token verification workflow. The vulnerability class is Broken Authentication (CWE-287) combined with Improper Input Validation (CWE-20). The root cause is the direct assignment of user-supplied streamerURL parameters to the token verification request without hostname validation, whitelist checks, or cryptographic pinning. The impact is complete circumvention of live stream access controls—attackers gain unauthenticated ability to drop active publishers, manipulate recordings, and enumerate stream existence across the platform.

PoC Significance for Defenders

This proof-of-concept demonstrates a highly reliable and low-complexity exploit requiring only: (1) knowledge of the vulnerable endpoint path, (2) control of any externally accessible HTTP server, and (3) the target stream identifier. No credentials, session tokens, or complex timing are needed. The PoC proves that the application trusts external servers for critical security decisions without verification. The 12-hour token window mentioned in the disclosure suggests tokens are long-lived, increasing exposure. Preconditions are minimal—the endpoint must be internet-accessible (common for live streaming platforms) and the attacker needs to craft a request to control.json.php with a malicious streamerURL parameter.

Detection Guidance

HTTP Log Indicators:

  • Requests to plugin/Live/standAloneFiles/control.json.php with streamerURL parameter containing hostnames differing from legitimate server domains
  • Multiple requests from same source IP with varying streamerURL values (enumeration)
  • streamerURL parameters pointing to non-RFC-1918 private ranges or external URLs
  • Spikes in control.json.php requests from unauthenticated sources

WAF/IDS Rules:

  • Block/alert on regex: streamerURL=(?!https?://(\[?[0-9a-f:.]+\]?|localhost|127\.0\.0\.1|<WHITELIST>))
  • Monitor for multiple failed publisher drop or recording stop requests in short timeframe

Application Log Indicators:

  • file_get_contents() calls to external hostnames from control.json.php
  • Token verification responses always returning {"error": false} from non-canonical sources
  • Stream control actions without corresponding valid session tokens in authentication logs

Mitigation Steps

  1. Immediate Patching: Upgrade to AVideo version patching CVE-2026-33716 (check GitHub advisories for fixed version)
  2. Input Validation: Implement strict hostname whitelist for streamerURL—only allow configured internal verification server(s)
  3. Hostname Verification: Parse URLs and validate $_SERVER['HTTP_HOST'] matches expected domain(s) before making HTTP requests
  4. Remove User Control: Eliminate streamerURL parameter entirely; source should be immutable application configuration
  5. Cryptographic Pinning: Store certificate/public key of legitimate verification endpoint; validate server certificate during file_get_contents() or use verify_peer=true in SSL context
  6. Rate Limiting: Enforce per-IP rate limits on control.json.php requests
  7. Network Segmentation: Restrict outbound HTTP(S) from application server to only legitimate internal verification endpoints via firewall
  8. Audit Token Access: Implement logging of all token verification requests with source IP and streamerURL used

Risk Assessment

Likelihood of In-the-Wild Exploitation: Very High. This vulnerability requires no sophisticated techniques, no valid credentials, and offers immediate high-value payoff (stream disruption, data capture). Threat actors targeting media/streaming platforms, competitors engaging in denial-of-service attacks, or opportunistic attackers scanning public AVideo instances will recognize and exploit this immediately.

Threat Actor Interest: High for: (1) competitors targeting streaming services, (2) ransomware operators seeking to disrupt critical infrastructure, (3) activists targeting specific streamers, (4) botnets seeking to compromise streaming pipelines. The low barrier to entry makes it attractive to script kiddies as well.

Timeline Urgency: Critical—if systems are not patched within days of disclosure, assume active exploitation in the wild.

Sources

pocauthentication-bypassserver-side-request-forgeryinput-validationlive-streamingunauthenticated-accesstoken-verification
Back to intelligence