AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-xxpw-32hf-q8v9: AVideo: Unauthenticated PHP session store exposed to host network via published memcached port

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 4, 2026CVE-2026-29093

Summary

AVideo's Docker setup publishes memcached (a session storage system) to port 11211 on the host network without any authentication, allowing attackers to read, modify, or delete user session data and impersonate users or admins. The vulnerability has a high severity score (CVSS 8.1) because session data contains sensitive information like user IDs, admin flags, and password hashes, and the memcached service lacks both SASL authentication (a security protocol) and network restriction flags.

Solution / Mitigation

Remove the `ports:` directive from the memcached service in `docker-compose.yml` (line 203) to make it internal-only, matching the pattern already used for the database services. Alternatively, add authentication by including the `-S` flag for SASL authentication or restrict the listening interface with `-l 127.0.0.1` in the memcached command.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationTrivial

Affected Packages

wwbn/avideo@<= 21.0

Original source: https://github.com/advisories/GHSA-xxpw-32hf-q8v9

First tracked: March 4, 2026 at 11:00 PM

Classified by LLM (prompt v3) · confidence: 95%