CVE-2026-33037
Received Received - Intake
Default Credential Vulnerability in WWBN AVideo Enables Admin Takeover

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33037
EUVD
EUVD-2026-13575
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The vulnerability in WWBN AVideo versions 25.0 and below arises from the official Docker deployment files shipping with a default admin password set to "password". This password is automatically used to create the admin account during installation if the operator does not override the SYSTEM_ADMIN_PASSWORD environment variable.'}, {'type': 'paragraph', 'content': 'There are no compensating controls such as forced password changes, complexity validation, or detection of default passwords. Additionally, the password is hashed using the weak MD5 algorithm.'}, {'type': 'paragraph', 'content': 'This insecure default extends to database credentials as well, which are also set to trivial values.'}, {'type': 'paragraph', 'content': 'Exploitation depends on operators failing to change these defaults, which is likely in quick-start, demo, or automated deployments.'}, {'type': 'paragraph', 'content': 'The vulnerability allows trivial administrative takeover, enabling full admin access.'}] [1]

Impact Analysis

If exploited, this vulnerability allows an attacker to gain full administrative access to any AVideo instance deployed with the default credentials.

  • Exposure of all user data and videos stored on the platform.
  • Ability to modify, delete, or inject content on the platform.
  • Potential for remote code execution through admin features such as file uploads and plugin management.
  • Facilitation of credential stuffing attacks due to predictable default passwords.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the AVideo instance is using the default admin password "password" or default database credentials (avideo/avideo). Since the default password is hashed with MD5 as 5f4dcc3b5aa765d61d8327deb882cf99, you can verify if the admin account password hash matches this value.'}, {'type': 'paragraph', 'content': 'You can also inspect the deployment files such as `docker-compose.yml` and `.env` files to see if the environment variable SYSTEM_ADMIN_PASSWORD is unset or set to "password".'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check environment variables in the running container or deployment files for SYSTEM_ADMIN_PASSWORD: `grep SYSTEM_ADMIN_PASSWORD docker-compose.yml .env`'}, {'type': 'list_item', 'content': 'Check if the admin password hash in the database matches the MD5 hash of "password": `SELECT password FROM users WHERE username=\'admin\';` and compare with `5f4dcc3b5aa765d61d8327deb882cf99`'}, {'type': 'list_item', 'content': 'Attempt to login using the default credentials (admin/password) via HTTP POST to verify if the instance is vulnerable.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Override the default SYSTEM_ADMIN_PASSWORD environment variable with a strong, random password before deployment.
  • Modify the installation process to generate and use a secure random admin password if the default or empty password is detected.
  • Implement a forced password change on first admin login to prevent continued use of weak or default passwords.
  • Add pre-flight checks in the Docker entrypoint script to refuse to start the container if insecure defaults are detected.
  • Review and update database credentials from the default trivial values (avideo/avideo) to secure ones.

These steps are part of the recommended remediation and have been implemented in the fix for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart