CVE-2026-34738 - AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
CVE ID :CVE-2026-34738
Published : March 31, 2026, 8:55 p.m. | 20 minutes ago
Description :WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : March 31, 2026, 8:55 p.m. | 20 minutes ago
Description :WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...