External risk intelligence

AVideo Meet Plugin Authorization Bypass Enables Session Hijacking

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-56345

AVideo is a web-based video platform designed for content hosting and delivery, which is typically deployed as a public-facing web application. The vulnerable endpoint is part of a plugin intended to handle file uploads, a core function of the product that is commonly exposed to the public internet in standard deployments.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

AVideo's Meet plugin contains a vulnerability that could allow an unauthorized individual to bypass authentication and gain administrative access. This is possible by uploading a specially crafted file that exploits how user IDs are handled, potentially leading to a complete account takeover.

  • Unauthorized access to user accounts.
  • This impacts system security and user data.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could gain administrative access to AVideo by first obtaining a shared secret for the Meet plugin. This secret can be acquired through other vulnerabilities. Once the attacker has the secret, they can upload a specially crafted file. The filename of this file will contain a target user's ID, which the vulnerable endpoint uses to log the attacker in as that user without a password, potentially leading to a full account takeover.

  • Requires knowledge of a shared secret.
  • Uploading a file with a crafted filename.
  • Session hijacking and account takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to hijack any user's session, including administrators, when the Meet plugin is enabled and the Meet shared secret is known. This could lead to unauthorized access and control over the AVideo platform.

  • User accounts and administrative control at risk.
  • Session hijacking via crafted file uploads.
  • Full account takeover is a realistic consequence.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Meet plugin in AVideo is susceptible to an authorization bypass, allowing attackers to hijack admin sessions and take over accounts. Identifying all instances of the AVideo Meet plugin is the crucial first step, followed by an assessment of their reachability and business criticality to determine the appropriate response. The teams responsible for application security, infrastructure, and potentially vendor management should collaborate on this effort.

  • Application owners, security teams.
  • Verify Meet plugin exposure, shared secret.
  • Plan vendor coordination and remediation.

Supplementary metadata

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is AVideo?

AVideo is an open-source, web-based platform built for hosting, streaming, and managing video content. It functions as a comprehensive multimedia delivery system that organizations use to store and broadcast video libraries. Because it handles media ingestion and distribution, the platform often includes plugin extensions, such as the Meet plugin, to add specialized collaboration or conferencing capabilities to the core video environment.

What kind of vulnerability is CVE-2026-56345?

This vulnerability is classified as Improper Authentication (CWE-287). It occurs when software does not correctly verify the identity of a user, allowing unauthorized parties to interact with the system. In this specific case, the software fails to validate who is making an upload request and instead trusts the filename to identify the user. This logic flaw allows an attacker to bypass standard login requirements and trick the system into granting them an active session as someone else.

How can an attacker trigger this issue?

To trigger this bug, an attacker must first obtain a shared secret used by the Meet plugin. Once they possess this secret, they can craft a file with a specific filename structure that includes a target user's ID. By uploading this file, they bypass the password check and force the system to log them in as that user. Note that simply uploading a standard file without the correct shared secret or the crafted filename pattern does not trigger this specific authentication bypass.

Is my AVideo instance at risk?

Halo Surface Signal indicates that AVideo is typically deployed as a public-facing web application, and the Meet plugin handles core file upload functions, making it a high-interest target for attackers scanning the internet. If your installation has the Meet plugin enabled, it is potentially reachable by external actors. You should prioritize assessing whether your deployment is exposed to the internet and whether the plugin is strictly necessary for your current operations.

How do I respond to CVE-2026-56345?

Begin by identifying all servers in your environment where the AVideo Meet plugin is active. Once identified, evaluate the necessity of the plugin and determine if it can be disabled to mitigate risk immediately. Coordinate with your application security and infrastructure teams to review access controls and monitor for unauthorized activity. Keep track of official project communications for security updates that address the underlying authorization logic.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished