CVE-2026-34362 affects WWBN AVideo, an open-source video platform, specifically versions up to and including 26.0. The vulnerability stems from the verifyTokenSocket() function in plugin/YPTSocket/functions.php, where the token timeout validation code has been commented out. Although tokens are generated with a 12-hour timeout, this disabled validation causes tokens to effectively never expire. As a result, any WebSocket token—whether captured through interception or legitimately obtained—can be reused indefinitely to access WebSocket connections. This persistent access remains valid even if the associated user account is deleted, banned, or demoted from administrative privileges. The impact is particularly severe for admin tokens, which grant access to sensitive real-time data such as IP addresses, browser information, and page locations of all online users connected via WebSocket. The vulnerability is classified under CWE-613 (Insufficient Session Expiration), highlighting a failure in enforcing proper session lifecycle management. The issue was addressed in commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5, which restores token timeout validation. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and limited confidentiality and integrity impact without availability impact. No known exploits are currently reported in the wild.

The vulnerability allows attackers to maintain indefinite WebSocket access using stolen or legitimate tokens, bypassing normal session expiration controls. This persistent access can lead to unauthorized monitoring of real-time user connection data, including sensitive metadata such as IP addresses, browser fingerprints, and page navigation details. For administrators, compromised tokens could expose the entire user base's online activity, potentially facilitating further targeted attacks or privacy violations. The inability to revoke tokens upon user account changes (deletion, banning, or privilege demotion) exacerbates the risk, as attackers retain access despite administrative actions. Organizations relying on AVideo for video streaming or conferencing may face data confidentiality breaches and erosion of user trust. Although availability is not directly impacted, the exposure of sensitive information and potential for privilege escalation represent significant security concerns. The medium severity rating indicates a moderate but actionable threat, especially for deployments with high-value or sensitive user data.

1. Immediately update AVideo installations to versions including the fix from commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 or later to restore proper token timeout validation. 2. Audit existing WebSocket tokens and revoke or invalidate all active tokens issued before the patch to prevent continued unauthorized access. 3. Implement additional monitoring on WebSocket connections to detect unusual or persistent sessions that may indicate token misuse. 4. Enforce strict session management policies, including token expiration and revocation tied to user account status changes (deletion, banning, privilege changes). 5. Consider deploying Web Application Firewalls (WAFs) or network-level controls to limit WebSocket traffic to trusted clients and IP ranges. 6. Educate administrators and users on secure token handling and the risks of token leakage. 7. Regularly review and test session management mechanisms to ensure compliance with security best practices and prevent similar issues.