WebSocket Token Management Vulnerability in AVideo by WWBN
CVE-2026-34362

5.4MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-34362?

The AVideo platform has a critical issue in its token management for WebSocket connections, found in versions up to and including 26.0. The vulnerability lies in the verifyTokenSocket() function, where the timeout validation for WebSocket tokens is commented out. As a result, tokens that should expire after 12 hours remain valid indefinitely, allowing unauthorized access to users’ WebSocket connections. This leads to a significant security risk, as even after user accounts are deleted or demoted, their tokens can still be used to access real-time connection data, including sensitive information such as IP addresses and browser details. This issue has been rectified in commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-2...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/5d5237121bf82c24e9e...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34362 Data

JSON

Wwbn

What is CVE-2026-34362?

Affected Version(s)

References

CVSS V3.1

Timeline