CVE-2026-29093
Published: 06 March 2026
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2026-29093 affects WWBN AVideo, an open source video platform, in versions prior to 24.0. The vulnerability stems from the official docker-compose.yml file exposing the memcached service on the host port 11211 (bound to 0.0.0.0:11211) without any authentication. Meanwhile, the Dockerfile configures PHP to store all user sessions in this memcached instance, allowing unauthorized access to sensitive session data.
Remote attackers who can reach the exposed memcached port 11211 can read, modify, or flush session data without requiring application-level authentication. This enables session hijacking, impersonation of administrators, and mass destruction of user sessions, potentially disrupting the platform and granting unauthorized control.
The issue has been addressed in AVideo version 24.0. Security practitioners should upgrade to this patched version, as detailed in the GitHub release notes at https://github.com/WWBN/AVideo/releases/tag/24.0 and the security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-xxpw-32hf-q8v9. Additionally, review Docker deployments to ensure memcached is not unnecessarily exposed on public interfaces.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Exposed unauthenticated memcached enables exploitation of public-facing application (T1190) and stealing web session data/IDs for hijacking and admin impersonation (T1539).