CVE-2026-33501
Received Received - Intake
Unauthorized Access in WWBN AVideo Permissions Endpoint

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33501
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33501 is a vulnerability in the WWBN AVideo open source video platform affecting versions up to and including 26.0. The issue exists in the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php`, which lacks any authentication or authorization checks. This allows unauthenticated users to access and retrieve the complete permission matrix that maps user groups to plugins.

While sibling endpoints in the same directory properly require administrator privileges, this particular endpoint does not, which is an oversight. The vulnerability enables attackers to obtain sensitive information about user group permissions without needing to log in.

Impact Analysis

This vulnerability allows an unauthenticated attacker to enumerate the entire authorization model of the AVideo instance. They can retrieve all user group IDs, installed plugin IDs, permission types, and the active or inactive status of each group-plugin permission.

Although the attacker cannot modify data directly, having access to this detailed permission mapping significantly aids in planning targeted privilege escalation attacks by revealing exactly which groups have access to which plugins and their permission levels.

The overall impact is an increased risk of unauthorized access and potential compromise of the system through subsequent attacks that leverage this sensitive information.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoint without authentication and observing if the complete permission matrix is returned.

A simple command to test this is using curl to send an unauthenticated request to the endpoint:

  • curl http://<your-avideo-instance>/plugin/Permissions/View/Users_groups_permissions/list.json.php

If the response contains JSON data listing user group permissions without requiring authentication, the system is vulnerable.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, ensure that the vulnerable endpoint enforces administrative authorization checks.'}, {'type': 'paragraph', 'content': 'Specifically, update the `plugin/Permissions/View/Users_groups_permissions/list.json.php` file to include a check that only allows access if the user is an administrator.'}, {'type': 'list_item', 'content': 'Load the Permissions plugin and verify admin status using `User::isAdmin()`.'}, {'type': 'list_item', 'content': 'If the user is not an admin, terminate the request and return a JSON error message such as `{ "error": true, "msg": "You cant do this" }`.'}, {'type': 'paragraph', 'content': 'This fix is demonstrated in the commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516.'}] [1, 3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart