CVE-2026-34374 is a critical SQL injection vulnerability found in the open-source video platform WWBN AVideo, affecting all versions up to and including 26.0. The flaw exists in the Live_schedule::keyExists() method, which is used as a fallback during RTMP publish authentication to verify stream keys. Unlike the primary lookup function that uses parameterized queries, this fallback method interpolates the stream key directly into the SQL query string without proper sanitization or parameterization, violating CWE-89 standards. This improper neutralization of special elements in SQL commands allows an attacker to inject malicious SQL code, potentially leading to unauthorized data access, data modification, or other database compromises. The vulnerability is distinct from a previously known SQL injection (GHSA-pvw4-p2jm-chjm) affecting a different parameter. No patches have been released as of the publication date, and no known exploits are reported in the wild yet. The CVSS v3.1 score of 9.1 indicates a critical severity with network attack vector, no required privileges, no user interaction, and high impact on confidentiality and integrity. This vulnerability poses a significant risk to organizations relying on AVideo for streaming services, especially those using RTMP authentication mechanisms.

The impact of CVE-2026-34374 is severe for organizations using WWBN AVideo as it allows unauthenticated remote attackers to perform SQL injection attacks via the stream key lookup during RTMP publish authentication. Successful exploitation can lead to unauthorized disclosure of sensitive data stored in the backend database, including user credentials, stream metadata, and potentially other confidential information. Attackers may also alter or delete data, undermining data integrity and trustworthiness. Although availability impact is rated low, the compromise of authentication mechanisms can facilitate further attacks or unauthorized streaming. This vulnerability could lead to reputational damage, regulatory non-compliance, and financial losses for affected organizations. Given the widespread use of AVideo in content delivery and streaming platforms, the threat extends to media companies, educational institutions, and enterprises relying on video streaming. The absence of a patch increases exposure time, raising the risk of exploitation as attackers develop proof-of-concept or weaponized exploits.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict network access to the RTMP publish authentication endpoints to trusted IP addresses or VPNs to reduce exposure. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the stream key parameter. 3) Monitor application logs and database query logs for anomalous or unexpected SQL queries indicative of injection attempts. 4) Consider disabling or limiting RTMP publishing features if not essential, or replace with alternative authentication mechanisms. 5) Conduct thorough code reviews and testing to identify any other unparameterized SQL queries in the application. 6) Prepare for rapid patch deployment once WWBN releases an official fix by maintaining an up-to-date inventory of affected systems. 7) Educate development teams on secure coding practices, emphasizing parameterized queries and input validation to prevent similar vulnerabilities.