CVE-2026-34368: AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

March 30, 2026

The transferBalance() method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender’s wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d
github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr
github.com/advisories/GHSA-h54m-c522-h6qr
nvd.nist.gov/vuln/detail/CVE-2026-34368

Code Behaviors & Features

Detect and mitigate CVE-2026-34368 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →