{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34362", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.368Z", "datePublished": "2026-03-27T16:42:28.779Z", "dateUpdated": "2026-03-27T16:42:28.779Z"}, "containers": {"cna": {"title": "AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2mg4-pfgx-64cf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2mg4-pfgx-64cf"}, {"name": "https://github.com/WWBN/AVideo/commit/5d5237121bf82c24e9e0fdd5bc1699f1157783c5", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/5d5237121bf82c24e9e0fdd5bc1699f1157783c5"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T16:42:28.779Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to provide permanent WebSocket access, even after user accounts are deleted, banned, or demoted from admin. Admin tokens grant access to real-time connection data for all online users including IP addresses, browser info, and page locations. Commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 fixes the issue."}], "source": {"advisory": "GHSA-2mg4-pfgx-64cf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to provide permanent WebSocket access, even after user accounts are deleted, banned, or demoted from admin. Admin tokens grant access to real-time connection data for all online users including IP addresses, browser info, and page locations. Commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 fixes the issue."}], "id": "CVE-2026-34362", "lastModified": "2026-03-27T17:16:30.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T17:16:30.370", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/5d5237121bf82c24e9e0fdd5bc1699f1157783c5"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2mg4-pfgx-64cf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T18:21:22.600866+00:00", "value": {"mitigation_remediation": ["Apply the official patch referenced in commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 to restore token timeout validation.", "Upgrade the AVideo installation to a version newer than 26.0 where the timeout check has been reinstated.", "If an upgrade is not immediately possible, revoke all existing WebSocket tokens by disabling token generation or forcing user re\u2011authentication for any accounts with administrative privileges.", "Monitor WebSocket traffic for suspicious long\u2011lived connections as an interim detection measure."], "summary": {"action": "Apply Patch", "impact": "Persistent WebSocket Token Exploitation"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, versions up to and including 26.0. The vulnerability arises specifically in the verifyTokenSocket() function within plugin/YPTSocket/functions.php. No other products or vendors are noted as impacted.", "description_and_impact": "The vulnerability lies in the WebSocket authentication routine of the AVideo platform, where the token timeout check was inadvertently disabled. Tokens generated for up to 12 hours never expire, enabling an attacker who obtains a token\u2014whether through legitimate access, credential compromise, or network eavesdropping\u2014to maintain continuous WebSocket access indefinitely. An attacker using an administrative token can stream real\u2011time session data of all online users, including IP addresses, browser details, and page locations, constituting a breach of confidentiality and potential escalation of authority. This issue is classified as CWE\u2011613, reflecting improper control of authentication timeouts.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the vulnerability does not appear in the CISA KEV catalog. No EPSS data is available. The attack vector is inferred to involve interception or acquisition of a valid WebSocket token, either through sniffing network traffic, accessing logs, or escalating privileges via an admin account that still possesses a valid token. Once obtained, the token grants persistent access, thus the risk is mainly confidentiality and potential privilege escalation rather than immediate denial of service or remote code execution."}}}}, "created": "2026-03-27T20:28:00.103914+00:00", "updated": "2026-03-27T20:28:00.103943+00:00", "vendors": []}