CVE-2026-33512
Received Received - Intake
Unauthenticated Decryption API Exposure in WWBN AVideo

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33512
EUVD
EUVD-2026-14479
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33512 is a high-severity vulnerability in the WWBN AVideo platform (versions up to and including 26.0) where the API plugin exposes a decryptString action without any authentication.

This means anyone can submit ciphertext to the decryptString API endpoint and receive the corresponding plaintext without needing to prove their identity or have any permissions.

Ciphertexts are publicly available through another endpoint, so any user can obtain encrypted tokens or metadata and then decrypt them using this unauthenticated API, exposing sensitive information.

Impact Analysis

This vulnerability leads to a complete loss of confidentiality for any encrypted payload generated by the platform.

  • Exposure of protected tokens and sensitive metadata such as video links, titles, and user IDs.
  • Allows attackers to decrypt confidential data without authorization.
  • Enables replay attacks and tampering where confidentiality was assumed.

There is no reported impact on data integrity or availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the WWBN AVideo platform's API endpoint for decrypting strings is accessible without authentication. Specifically, the endpoint `/plugin/API/get.json.php?APIName=decryptString` allows unauthenticated POST requests with a parameter `string` containing ciphertext to be decrypted."}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to decrypt a known ciphertext obtained from the publicly accessible endpoint `/view/url2Embed.json.php`.'}, {'type': 'list_item', 'content': 'Step 1: Obtain ciphertext by sending a GET request to `/view/url2Embed.json.php?url=<video_url>` and extract the `playLink` value.'}, {'type': 'list_item', 'content': 'Step 2: Send a POST request to `/plugin/API/get.json.php?APIName=decryptString` with content type `application/x-www-form-urlencoded` and parameter `string=<playLink ciphertext>`.'}, {'type': 'list_item', 'content': 'If the response returns decrypted plaintext without requiring authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example commands using curl:'}, {'type': 'list_item', 'content': 'curl -X GET "https://your-avideo-instance/view/url2Embed.json.php?url=https://example.com/video.mp4"'}, {'type': 'list_item', 'content': 'curl -X POST -d "string=<playLink_ciphertext>" "https://your-avideo-instance/plugin/API/get.json.php?APIName=decryptString" -H "Content-Type: application/x-www-form-urlencoded"'}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Apply the patch that enforces authentication on the decryptString API endpoint, requiring either valid admin access or a valid APISecret.
  • Restrict access to the `/plugin/API/get.json.php?APIName=decryptString` endpoint to authorized users only.
  • If patching is not immediately possible, consider disabling or removing the decryptString endpoint entirely.
  • Rotate encryption keys and salts after applying the fix to invalidate any ciphertexts exposed prior to patching.
  • Consider replacing reversible encryption with one-way cryptographic signatures (e.g., HMAC) for token protection to avoid similar issues.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart