CVE-2026-33649
Received Received - Intake
CSRF Vulnerability in WWBN AVideo Enables Permission Escalation

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group β€” escalating the attacker to near-admin access. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33649
EUVD
EUVD-2026-14486
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33649 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability in the WWBN AVideo platform affecting versions up to 27.0. The vulnerability exists in the endpoint plugin/Permissions/setPermission.json.php, which improperly accepts GET requests to perform state-changing operations that modify user group permissions without validating CSRF tokens.

The endpoint uses $_REQUEST instead of $_POST, allowing GET parameters to trigger permission changes. It lacks CSRF token validation and only checks if the user is an admin, which does not prevent CSRF attacks. Additionally, session cookies are set with SameSite=null and Secure=1, causing the admin’s session cookie to be sent with cross-origin GET requests.

An attacker can craft a malicious webpage containing multiple <img> tags with src attributes pointing to the vulnerable endpoint, passing parameters to grant various permissions to the attacker’s user group. When an admin visits this page, the browser automatically sends GET requests with the admin’s session cookie, allowing the attacker to escalate privileges to near-admin levels without having admin credentials.

Impact Analysis

This vulnerability allows an attacker to escalate their privileges from a low-privileged user to near-admin access by silently granting arbitrary permissions to their user group.

  • The attacker can gain permissions such as full video access, user management, video upload, and livestream capabilities.
  • All users in the compromised group gain escalated permissions, increasing the potential damage.

The attack requires no user interaction beyond the admin visiting a malicious page, making it easy to execute via social engineering.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious GET requests to the endpoint `plugin/Permissions/setPermission.json.php` that include parameters attempting to modify user group permissions.'}, {'type': 'paragraph', 'content': 'Since the endpoint improperly accepts GET requests for state-changing operations, you can look for unusual GET requests with parameters related to permission changes in your web server logs or network traffic.'}, {'type': 'list_item', 'content': 'Use tools like tcpdump or Wireshark to capture HTTP GET requests targeting `plugin/Permissions/setPermission.json.php`.'}, {'type': 'list_item', 'content': "Example command to search web server logs for suspicious GET requests (assuming Apache logs): `grep 'GET /plugin/Permissions/setPermission.json.php' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Look for GET requests containing parameters such as permission types (e.g., `type=10`, `type=20`, `type=70`, `type=80`) and user group IDs (small integers like 1-3).'}, {'type': 'list_item', 'content': 'Monitor for unexpected permission changes in the application, especially if triggered by GET requests without CSRF tokens.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting the vulnerable endpoint to accept only POST requests and enforcing CSRF token validation.

Specifically:

  • Modify the `plugin/Permissions/setPermission.json.php` endpoint to reject GET requests and accept only POST requests.
  • Implement CSRF token validation by calling `isGlobalTokenValid()` before processing permission changes.
  • Replace usage of `$_REQUEST` with `$_POST` to ensure parameters are only accepted from POST data.
  • Ensure AJAX calls include the global CSRF token in their POST data.

Until a patched version is available, consider limiting admin access to trusted networks and educating admins to avoid visiting untrusted or suspicious web pages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33649. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart