CVE-2026-34731: AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php

April 1, 2026

The AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.

An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/e0b9e71f6f3b34f12ad78c1a69d4e1f584b49673
github.com/WWBN/AVideo/security/advisories/GHSA-4jcg-jxpf-5vq3
github.com/advisories/GHSA-4jcg-jxpf-5vq3
nvd.nist.gov/vuln/detail/CVE-2026-34731

Code Behaviors & Features

Detect and mitigate CVE-2026-34731 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →