AVideo Session Fixation Vulnerability (CVE-2026-33492)
AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.
AVideo, an open-source video platform, is vulnerable to a session fixation attack (CVE-2026-33492) in versions up to and including 26.0. The vulnerability stems from the _session_start() function, which improperly accepts arbitrary session IDs via the PHPSESSID GET parameter. Furthermore, session regeneration is bypassed for specific blacklisted endpoints when the request originates from the same domain. Critically, the User::login() function explicitly disables session regeneration. This combination allows an attacker to set a victim's session ID before they authenticate, and subsequently hijack their authenticated session. This is a critical vulnerability as it can lead to complete account takeover. A patch is available in commit 5647a94d79bf69a972a86653fe02144079948785.
Attack Chain
- Attacker identifies a vulnerable AVideo instance (version 26.0 or earlier).
- Attacker crafts a malicious link or uses another method to send the victim a URL to the AVideo site that includes a
PHPSESSIDparameter with a session ID controlled by the attacker (e.g.,https://example.com/?PHPSESSID=attacker_session_id). - The victim clicks the link and their browser sets the
PHPSESSIDcookie to the attacker-controlled value. The AVideo server starts a PHP session using the provided session ID. - The victim logs into the AVideo platform. The
User::login()function, due to the vulnerability, does not regenerate the session ID upon successful authentication. - The victim's authenticated session continues to use the attacker-controlled
PHPSESSID. - The attacker uses the same
PHPSESSIDvalue in their own browser to access the AVideo site. - The AVideo server authenticates the attacker as the victim because the session ID matches the victim's authenticated session.
- The attacker now has complete access to the victim's account, including their videos, personal information, and administrative privileges if applicable.
Impact
Successful exploitation of this vulnerability allows an attacker to completely take over a user's account on the AVideo platform. This could lead to unauthorized access to sensitive video content, modification or deletion of videos, defacement of the platform, or further attacks leveraging the compromised account. The number of potential victims depends on the number of vulnerable AVideo instances and their user base, but the impact is significant for each compromised account.
Recommendation
- Apply the patch available in commit 5647a94d79bf69a972a86653fe02144079948785 to remediate the session fixation vulnerability.
- Deploy the Sigma rule
Detect AVideo Session Fixation Attempt via PHPSESSID GET Parameterto identify potential exploitation attempts (Sigma rule). - Monitor web server logs for requests containing the
PHPSESSIDparameter in the query string to identify potential session fixation attempts (webserver logs). - Consider implementing a web application firewall (WAF) rule to block requests containing the
PHPSESSIDparameter in the query string (webserver logs).
Detection coverage 2
Detect AVideo Session Fixation Attempt via PHPSESSID GET Parameter
highDetects potential session fixation attacks against AVideo by monitoring for HTTP requests with the PHPSESSID parameter in the GET request.
Detect AVideo Login without Session Regeneration
mediumDetects a login event on AVideo without subsequent session regeneration, indicating potential exploitation of CVE-2026-33492.
Detection queries are available on the platform. Get full rules →