CVE-2026-29093: AVideo: Unauthenticated PHP session store exposed to host network via published memcached port

March 5, 2026 (updated March 6, 2026)

The official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/releases/tag/24.0
github.com/WWBN/AVideo/security/advisories/GHSA-xxpw-32hf-q8v9
github.com/advisories/GHSA-xxpw-32hf-q8v9
nvd.nist.gov/vuln/detail/CVE-2026-29093

Code Behaviors & Features

Detect and mitigate CVE-2026-29093 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →