CVE-2026-34738: AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

April 1, 2026

AVideo’s video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video’s status to any valid state, including “active” (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/34f0237e2449d2e564a69fe3c5c71c830f5d11fd
github.com/WWBN/AVideo/security/advisories/GHSA-m577-w9j8-ch7j
github.com/advisories/GHSA-m577-w9j8-ch7j
nvd.nist.gov/vuln/detail/CVE-2026-34738

Code Behaviors & Features

Detect and mitigate CVE-2026-34738 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →