A critical authentication bypass vulnerability in WWBN AVideo allows unauthenticated remote attackers to hijack and manipulate any active live stream on the platform.

This is an authentication bypass vulnerability located in the plugin/Live/standAloneFiles/control.json.php endpoint. An unauthenticated attacker can supply a malicious streamerURL parameter, forcing the server to validate tokens against an attacker-controlled server that always returns a success response.

A successful exploit grants an attacker full unauthorized control over the platform's live streaming functionality. This includes the ability to terminate active broadcasts, start or stop recordings, and probe the system for private stream metadata. Given the CVSS score of 9.4, this represents a critical risk to data integrity and service availability, potentially leading to significant reputational damage for media organizations.

Immediate Action: Administrators must immediately apply the patch identified in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 or update to a version beyond 26.0.

Proactive Monitoring: Review web server access logs for unusual requests to control.json.php, specifically looking for external or unrecognized IP addresses in the streamerURL parameter.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block or sanitize requests to the standAloneFiles directory that contain external URLs in the query parameters.

Public Exploit Available: false

This vulnerability represents a severe security failure in the platform's authentication logic. Because it allows unauthenticated control over core business functions, it must be treated as a top priority. Organizations using AVideo for live broadcasting should apply the available patch immediately to prevent unauthorized stream hijacking.