Critical Zero-Click Vulnerability in AVideo Platform Enables Unauthenticated Stream Hijacking
A critical security flaw has been identified in AVideo, a widely utilized open-source video hosting and streaming platform. Designated as CVE-2026-29058, this zero-click vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on targeted servers, posing a severe risk to the integrity and security of streaming infrastructures.
Discovery and Impact
Security researcher Arkmarta uncovered this vulnerability, which specifically affects AVideo version 6.0. The flaw has been addressed in version 7.0 and subsequent releases. Classified under CWE-78, which pertains to the improper neutralization of special elements in an OS command, this network-based attack requires neither system privileges nor user interaction. Successful exploitation could lead to full server compromise, unauthorized access to sensitive configuration data, and complete hijacking of live video streams.
Technical Details
The vulnerability resides in the `objects/getImage.php` component of the AVideo platform. The issue arises when the application processes network requests containing a `base64Url` parameter. The platform decodes this user-supplied input and incorporates it directly into a double-quoted `ffmpeg` shell command. Although the software attempts to validate the input using standard URL filters, these checks only assess basic URL syntax and fail to neutralize dangerous shell metacharacters or command substitution sequences. Consequently, remote attackers can append malicious instructions, enabling them to execute arbitrary code, exfiltrate internal credentials, or disrupt the server’s streaming capabilities.
Mitigation Measures
Administrators operating AVideo-Encoder version 6.0 are strongly advised to upgrade to version 7.0 or later to secure their environments. The patched release addresses the issue by implementing strict shell argument escaping, utilizing functions like `escapeshellarg()`. This fix ensures that all user-supplied input is properly sanitized before interacting with the command line, effectively preventing attackers from manipulating the command structure.
If an immediate software upgrade is not feasible, security teams should implement temporary workarounds to protect their streaming infrastructure. Recommended measures include:
– Restricting Access: Limit access to the vulnerable `objects/getImage.php` endpoint at the web server or reverse proxy layer using strict IP allowlisting.
– Deploying Web Application Firewalls (WAF): Apply WAF rules designed to inspect and actively block suspicious Base64-encoded shell command patterns.
– Disabling Unnecessary Components: If the image retrieval component is not essential for daily operations, consider disabling it entirely to eliminate the attack vector.
Conclusion
The discovery of CVE-2026-29058 underscores the critical importance of regular security assessments and prompt software updates in maintaining the integrity of streaming platforms. Administrators must prioritize the implementation of the recommended mitigation strategies to safeguard their systems against potential exploitation.
