CVE-2026-33719

HighPublic PoC

Published: 23 March 2026

Published

23 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

EPSS Score 0.0018 39.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key…

has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits critical functions like CDN configuration modification to those requiring identification and authentication, directly addressing the missing authentication for these endpoints.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent unauthenticated attackers from accessing and modifying CDN plugin endpoints.

SI-10 Information Input Validation partial match

prevent

Validates information inputs such as the 'par' parameter to mitigate mass-assignment vulnerabilities enabling configuration overwrites.

Security SummaryAI

CVE-2026-33719 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php`, which implement key-based authentication using an empty string as the default key. When the CDN plugin is enabled but the key remains unconfigured in its default state, the validation check is entirely bypassed. This enables mass-assignment vulnerabilities through the `par` request parameter, allowing unauthorized modification of the complete CDN configuration.

Any unauthenticated attacker can exploit this vulnerability remotely with low complexity and no privileges, as indicated by the CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and associated CWE-306 (Missing Authentication for Critical Function). Successful exploitation grants the ability to alter critical CDN settings, such as URLs, storage credentials, and the authentication key itself, potentially leading to unauthorized access to video storage, data exfiltration, or further compromise of the platform's infrastructure.

The patch is available in commit adeff0a31ba04a56f411eef256139fd7ed7d4310 on the WWBN/AVideo GitHub repository. Additional details are provided in the GitHub security advisory GHSA-r64r-883r-wcwh, which security practitioners should review for mitigation guidance and upgrade instructions.

Details

CWE(s): CWE-306

Affected Products

wwbn

avideo

≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is in public-facing CDN plugin endpoints with missing authentication, allowing unauthenticated remote exploitation for arbitrary configuration modification (e.g., storage credentials), directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/WWBN/AVideo/commit/adeff0a31ba04a56f411eef256139fd7ed7d4310
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-r64r-883r-wcwh
Exploit, Vendor Advisory · security-advisories@github.com