CVE-2026-34247 is a missing authorization vulnerability (CWE-862) found in WWBN AVideo, an open-source video platform. Specifically, the vulnerability exists in the plugin/Live/uploadPoster.php endpoint in versions up to and including 26.0. This endpoint allows any authenticated user to overwrite the poster image of any scheduled live stream by supplying an arbitrary live_schedule_id parameter. The critical flaw is that the endpoint only verifies that the user is logged in (User::isLogged()) but does not verify whether the user owns or is authorized to modify the targeted live schedule. Consequently, an attacker with valid credentials can manipulate other users' scheduled live streams by changing their poster images. Furthermore, after the poster is overwritten, the endpoint broadcasts a socketLiveOFFCallback notification to all connected WebSocket clients. This notification contains sensitive information such as the victim's broadcast key and user ID, which could be used for further attacks or unauthorized access. The vulnerability has a CVSS v3.1 base score of 5.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), no user interaction, and impacts confidentiality and integrity but not availability. The issue was addressed in a commit identified by hash 5fcb3bdf59f26d65e203cfbc8a685356ba300b60, which implements proper authorization checks to ensure only owners can modify their live schedules.

The vulnerability allows authenticated users to overwrite poster images of any scheduled live stream, which can lead to unauthorized content manipulation and potential reputational damage for organizations relying on AVideo for live streaming. More critically, the broadcast of the victim's broadcast key and user ID to all connected WebSocket clients exposes sensitive credentials that could be leveraged to hijack live streams, impersonate users, or gain unauthorized access to private content. This leakage of broadcast keys undermines confidentiality and could facilitate further attacks such as unauthorized streaming or data exfiltration. Although the vulnerability does not affect availability directly, the integrity and confidentiality impacts can disrupt trust in the platform and lead to compliance issues, especially for organizations handling sensitive or proprietary video content. The requirement for authentication limits exploitation to users with valid credentials, but insider threats or compromised accounts could exploit this flaw. The medium CVSS score reflects moderate risk, but the exposure of broadcast keys elevates the potential impact beyond simple content defacement.

Organizations using WWBN AVideo versions up to 26.0 should immediately upgrade to the fixed version containing commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 or apply the patch that enforces proper authorization checks on the uploadPoster.php endpoint. In addition to patching, administrators should audit user permissions and monitor live stream poster changes for unusual activity. Implementing WebSocket traffic monitoring and filtering can help detect or block unauthorized broadcast key disclosures. Restricting access to the live stream management interface to trusted users and enforcing strong authentication mechanisms (e.g., multi-factor authentication) will reduce the risk of exploitation by compromised accounts. Organizations should also consider rotating broadcast keys if unauthorized disclosure is suspected. Finally, reviewing and hardening other endpoints for similar missing authorization issues is recommended to prevent analogous vulnerabilities.