Cyber Resilience

CVE-2026-34731

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34731 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34731 is a vulnerability in WWBN AVideo, an open source video platform, affecting versions 26.0 and prior. The issue lies in the on_publish_done.php endpoint of the Live plugin, which processes RTMP callback events to mark streams as finished in the database. This endpoint performs no authentication or authorization checks, allowing unauthenticated users to terminate any active live stream. The vulnerability is rated 7.5 on the CVSS:3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).

Unauthenticated remote attackers can exploit this vulnerability by enumerating active stream keys from the unauthenticated stats.json.php endpoint and then sending crafted POST requests to on_publish_done.php. Successful exploitation terminates targeted live broadcasts by updating the database status, resulting in a denial-of-service condition that disrupts all live streaming functionality on the platform.

The GitHub security advisory (GHSA-4jcg-jxpf-5vq3) documents the vulnerability, noting that at the time of publication on 2026-03-31, no publicly available patches were available.

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as…

more

finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing web endpoint (missing auth on critical function) directly enables T1190 exploitation of public-facing application; crafted requests to terminate streams enable T1499.004 application exploitation for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33719Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-34732Same product: Wwbn Avideo
CVE-2025-34434Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33483Same product: Wwbn Avideo
CVE-2025-25214Same product: Wwbn Avideo
CVE-2026-33716Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated termination of live streams via the on_publish_done.php endpoint.

prevent

Limits permitted actions without identification or authentication, ensuring critical functions like stream termination require authentication.

prevent

Enforces protections for publicly accessible endpoints like on_publish_done.php, blocking unauthorized stream termination by remote attackers.

References