CVE-2026-33501
Unauthorized Access in WWBN AVideo Permissions Endpoint
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33501 is a vulnerability in the WWBN AVideo open source video platform affecting versions up to and including 26.0. The issue exists in the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php`, which lacks any authentication or authorization checks. This allows unauthenticated users to access and retrieve the complete permission matrix that maps user groups to plugins.
While sibling endpoints in the same directory properly require administrator privileges, this particular endpoint does not, which is an oversight. The vulnerability enables attackers to obtain sensitive information about user group permissions without needing to log in.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to enumerate the entire authorization model of the AVideo instance. They can retrieve all user group IDs, installed plugin IDs, permission types, and the active or inactive status of each group-plugin permission.
Although the attacker cannot modify data directly, having access to this detailed permission mapping significantly aids in planning targeted privilege escalation attacks by revealing exactly which groups have access to which plugins and their permission levels.
The overall impact is an increased risk of unauthorized access and potential compromise of the system through subsequent attacks that leverage this sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable endpoint without authentication and observing if the complete permission matrix is returned.
A simple command to test this is using curl to send an unauthenticated request to the endpoint:
- curl http://<your-avideo-instance>/plugin/Permissions/View/Users_groups_permissions/list.json.php
If the response contains JSON data listing user group permissions without requiring authentication, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, ensure that the vulnerable endpoint enforces administrative authorization checks.'}, {'type': 'paragraph', 'content': 'Specifically, update the `plugin/Permissions/View/Users_groups_permissions/list.json.php` file to include a check that only allows access if the user is an administrator.'}, {'type': 'list_item', 'content': 'Load the Permissions plugin and verify admin status using `User::isAdmin()`.'}, {'type': 'list_item', 'content': 'If the user is not an admin, terminate the request and return a JSON error message such as `{ "error": true, "msg": "You cant do this" }`.'}, {'type': 'paragraph', 'content': 'This fix is demonstrated in the commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516.'}] [1, 3, 2]