Authorization Bypass in AVideo's Meet Plugin Affects User Sessions
CVE-2026-56345

9.2CRITICAL

Key Information:

Vendor: Avideo
Status: Avideo
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56345?

AVideo's Meet plugin, up to version 29.0, suffers from an authorization bypass vulnerability that allows attackers to exploit the uploadRecordedVideo.json.php endpoint. By manipulating the filename of a malicious file upload, an adversary can derive a target user's ID and invoke a passwordless login, defeating normal authentication measures. Knowledge of the Meet shared secret, which could be compromised through path traversal vulnerabilities or timing attacks, enables the attacker to craft a file that triggers an authenticated session as any user, including administrators. This flaw poses a serious risk of account takeover, allowing potential full control over user sessions.

Affected Version(s)

AVideo 0 <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-q...

vendor-advisory

https://www.vulncheck.com/advisories/avideo-arbitrary-use...

third-party-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

offset

CVE-2026-56345 Data

JSON

Avideo

What is CVE-2026-56345?

Affected Version(s)

References

CVSS V4

Timeline

Credit