CVE-2026-34731
Published: 31 March 2026
Summary
CVE-2026-34731 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing unauthenticated termination of live streams via the on_publish_done.php endpoint.
Limits permitted actions without identification or authentication, ensuring critical functions like stream termination require authentication.
Enforces protections for publicly accessible endpoints like on_publish_done.php, blocking unauthorized stream termination by remote attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web endpoint (missing auth on critical function) directly enables T1190 exploitation of public-facing application; crafted requests to terminate streams enable T1499.004 application exploitation for denial of service.
NVD Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as…
more
finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34731 is a vulnerability in WWBN AVideo, an open source video platform, affecting versions 26.0 and prior. The issue lies in the on_publish_done.php endpoint of the Live plugin, which processes RTMP callback events to mark streams as finished in the database. This endpoint performs no authentication or authorization checks, allowing unauthenticated users to terminate any active live stream. The vulnerability is rated 7.5 on the CVSS:3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).
Unauthenticated remote attackers can exploit this vulnerability by enumerating active stream keys from the unauthenticated stats.json.php endpoint and then sending crafted POST requests to on_publish_done.php. Successful exploitation terminates targeted live broadcasts by updating the database status, resulting in a denial-of-service condition that disrupts all live streaming functionality on the platform.
The GitHub security advisory (GHSA-4jcg-jxpf-5vq3) documents the vulnerability, noting that at the time of publication on 2026-03-31, no publicly available patches were available.
Details
- CWE(s)