Public March 2026
AVideo Published Its Session Store to the Host Network
BugBunny.ai found that the official AVideo docker-compose deployment exposed memcached on 0.0.0.0:11211 while PHP stored all user sessions in that instance. In deployments without additional firewalling, any network-reachable attacker could read, overwrite, or delete live session data.
TL;DR
Attackers can hijack authenticated sessions or corrupt application state by interacting directly with the exposed memcached service.
Unauthenticated access to the host-published memcached port used as the PHP session backend.
AVideo docker-compose deployments prior to version 24.0.
Published and fixed in AVideo 24.0.
Root Cause
The deployment configuration published memcached to the host interface even though the service was intended to act as an internal session cache. PHP was explicitly configured to store sessions inside that same memcached instance.
Because memcached does not provide authentication here, network access to port 11211 became equivalent to direct session-store access. An attacker could enumerate session keys, modify them, or delete them, which translates into session theft and availability impact.
Product
AVideo
Affected
< 24.0
Patched
>= 24.0
Weaknesses
CWE-668: Exposure of Resource to Wrong Sphere
Mitigation
- Upgrade AVideo to 24.0 or later.
- Never publish session-store services like memcached directly to public or semi-public host interfaces.
- Invalidate existing sessions if a deployment may have exposed memcached before remediation.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-xxpw-32hf-q8v9 after coordinated remediation with the AVideo maintainers.