CVE-2026-33237
Received Received - Intake
SSRF Vulnerability in WWBN AVideo Scheduler Plugin Allows Internal Access

Publication date: 2026-03-21

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33237
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33237 is a Server-Side Request Forgery (SSRF) vulnerability in the Scheduler plugin of the WWBN AVideo open source video platform. Prior to version 26.0, the Scheduler plugin's run() function calls a URL configured by an administrator (callbackURL) but only validates the URL format without checking if the URL points to internal or private network addresses."}, {'type': 'paragraph', 'content': 'Unlike other parts of AVideo that were patched for SSRF, the Scheduler plugin did not apply the isSSRFSafeURL() function, which blocks requests to private IP ranges, loopback addresses, and cloud metadata endpoints. This omission allows an admin to configure scheduled tasks with callback URLs targeting internal network resources or cloud infrastructure metadata services, potentially enabling SSRF attacks.'}] [2]

Impact Analysis

This vulnerability can have several impacts if exploited by an attacker with administrative access:

  • Cloud credential theft: An attacker can retrieve sensitive instance role credentials from cloud metadata services (e.g., AWS, GCP, Azure), which can lead to privilege escalation and broader compromise of cloud infrastructure.
  • Internal service probing: The server can be tricked into making requests to internal APIs, microservices, or databases that are not exposed externally, potentially exposing sensitive internal information.
  • Exposure of sensitive data: Responses from internal or cloud metadata endpoints are stored in scheduler execution logs, which may leak confidential information.

However, exploitation requires administrative privileges, which limits the attack surface but increases the severity if an admin account is compromised.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the scheduler execution logs for unexpected HTTP requests to internal or cloud metadata IP addresses, such as 169.254.169.254, which indicate potential SSRF exploitation attempts.'}, {'type': 'paragraph', 'content': 'Specifically, look for log entries containing messages like "Scheduler::run SSRF protection blocked callbackURL: [URL]" or any callback URLs targeting internal network ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x) or cloud metadata endpoints.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires an admin-configured scheduled task with a malicious callbackURL, auditing scheduled tasks for suspicious callback URLs pointing to internal or cloud metadata addresses is recommended.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Use grep or similar tools to search scheduler logs for internal IP addresses or metadata URLs, e.g., `grep -E '169\\.254\\.169\\.254|10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.' /path/to/scheduler/logs`"}, {'type': 'list_item', 'content': 'List scheduled tasks and inspect their callback URLs for internal or metadata IPs.'}, {'type': 'list_item', 'content': 'Monitor network traffic from the server for outbound HTTP requests to internal IP ranges or cloud metadata IPs using tools like tcpdump or Wireshark.'}] [2, 1]

Mitigation Strategies

The immediate mitigation step is to upgrade WWBN AVideo to version 26.0 or later, which includes a patch that adds SSRF protection by validating callback URLs with the `isSSRFSafeURL()` function in the Scheduler plugin.

If upgrading immediately is not possible, restrict administrative access to the Scheduler plugin to trusted users only, as exploitation requires admin privileges.

Additionally, audit and remove any scheduled tasks with callback URLs pointing to internal network addresses or cloud metadata services.

Implement network-level controls to block outgoing HTTP requests from the server to internal IP ranges and cloud metadata IP addresses (e.g., 169.254.169.254) to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart