CVE-2026-33037
Published: 20 March 2026
Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning…
more
any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.
Mitigating Controls (NIST 800-53 r5)AI
IA-5 directly requires changing default authenticators prior to first use and enforcing authenticator quality requirements, preventing exploitation of hardcoded weak 'password' and MD5-hashed credentials.
CM-6 mandates identifying, documenting, and deploying secure configuration settings for software products, ensuring overrides for default admin and database credentials in Docker deployment files.
CM-2 requires developing and maintaining baseline configurations under change control that exclude insecure defaults, addressing the root cause of unhardened deployments.
Security SummaryAI
CVE-2026-33037 is an insecure default configuration vulnerability (CWE-1188) in WWBN AVideo, an open source video platform, affecting versions 25.0 and below. The official Docker deployment files (docker-compose.yml and env.example) ship with the admin password hardcoded as "password", which automatically seeds the admin account during installation. Deployments that do not override the SYSTEM_ADMIN_PASSWORD environment variable are vulnerable to immediate administrative takeover. No compensating controls exist, such as forced password changes on first login, complexity validation, or default-password detection, and the password is hashed using weak MD5. The vulnerability extends to default database credentials (avideo/avideo), further compounding the risk.
Remote attackers with no privileges (AV:N/PR:N) can exploit this vulnerability by authenticating with the publicly known default credentials, assuming the target instance was deployed without customization—a scenario likely in quick-start, demo, or automated environments. Successful exploitation grants full administrative access (CVSS 8.1: C:H/I:H/A:H), allowing user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The high attack complexity (AC:H) stems from reliance on operators failing to change defaults.
The vulnerability has been addressed in AVideo version 26.0. Mitigation involves upgrading to version 26.0 and ensuring all deployments override default credentials, particularly SYSTEM_ADMIN_PASSWORD and database passwords. Additional details are available in the GitHub security advisory (GHSA-89rv-p523-6wg9) and the fixing commit (2075fac1a51f21fab5d8592235a095aa354a9de6).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default admin credentials enable use of default accounts (T1078.001) for unauthenticated remote access to the public-facing web application (T1190).