CVE-2026-34738 MEDIUM

CVE-2026-34738: AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

Vendor Wwbn
Product AVideo
Weakness CWE-285
Published March 31, 2026
Last update April 1, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
April 1, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12005 WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update CVE-2025-21348 Microsoft SharePoint Server Remote Code Execution Vulnerability CVE-2021-41093 Account takeover when having only access to a user's short lived token CVE-2020-15084 Authorization bypass in express-jwt CVE-2025-66290 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Candidate Attachments