CVE-2026-34731 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting WWBN AVideo, an open-source video platform widely used for live streaming. In versions 26.0 and prior, the Live plugin's on_publish_done.php endpoint processes RTMP callback events to mark live streams as finished in the backend database. However, this endpoint does not perform any authentication or authorization checks, allowing any unauthenticated user to send POST requests to terminate active live streams arbitrarily. Attackers can first enumerate active stream keys by accessing the unauthenticated stats.json.php endpoint, which exposes stream keys publicly. With these keys, attackers craft POST requests to on_publish_done.php to forcibly end live broadcasts, effectively causing denial-of-service (DoS) on the live streaming service. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity due to its ease of exploitation (no privileges or user interaction required) and complete impact on availability of live streams. No confidentiality or integrity impact is noted. At the time of disclosure, no patches or official fixes are available, increasing the urgency for organizations to apply mitigations. This vulnerability threatens the reliability and availability of live streaming services hosted on AVideo platforms, potentially disrupting business operations, user engagement, and content delivery.

The primary impact of CVE-2026-34731 is a denial-of-service condition against live streaming functionality on affected AVideo platforms. Organizations relying on AVideo for live broadcasts, including media companies, educational institutions, event organizers, and content creators, may experience service interruptions, loss of audience trust, and reputational damage. The ability for unauthenticated attackers to terminate any active stream without detection or authorization can lead to repeated disruptions and potential financial losses, especially for revenue-generating live events. Although confidentiality and integrity are not directly compromised, the availability impact alone can severely affect operational continuity and user experience. Additionally, the public exposure of active stream keys via the stats.json.php endpoint increases the attack surface and facilitates exploitation. The lack of patches means organizations must rely on mitigations until an official fix is released. This vulnerability could also be leveraged in broader attack campaigns targeting live streaming infrastructure, amplifying its impact.

To mitigate CVE-2026-34731, organizations should implement the following specific measures: 1) Restrict access to the on_publish_done.php and stats.json.php endpoints by enforcing IP whitelisting or network-level access controls to trusted RTMP servers or internal systems only. 2) Deploy web application firewalls (WAFs) with custom rules to detect and block unauthorized POST requests to on_publish_done.php and enumeration attempts on stats.json.php. 3) Temporarily disable or remove the Live plugin if live streaming is not critical or can be paused until a patch is available. 4) Monitor logs for unusual or repeated POST requests to on_publish_done.php and anomalous access patterns to stats.json.php to detect potential exploitation attempts. 5) Consider implementing additional authentication or token-based validation at the application or reverse proxy level for RTMP callback endpoints. 6) Engage with WWBN and community forums to track patch releases and apply updates promptly once available. 7) Educate operational teams about this vulnerability and establish incident response plans for live stream disruptions. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and temporary disabling of vulnerable components.