CVE-2026-33650
Received Received - Intake
Privilege Escalation in WWBN AVideo via Inadequate Video Permission Checks

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations β€” including ownership transfer and deletion of any video β€” despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33650
EUVD
EUVD-2026-14488
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33650 is a privilege escalation vulnerability in the WWBN AVideo platform affecting versions up to and including 26.0. It allows a user with the "Videos Moderator" permission, which is intended only to allow limited video publicity changes (such as setting videos to Active, Inactive, or Unlisted), to escalate their privileges and perform full video management operations. This includes transferring ownership of any video and deleting any video.'}, {'type': 'paragraph', 'content': 'The root cause is an authorization logic flaw where the permission check `Permissions::canModerateVideos()` is incorrectly used as a gate for full video editing in the `videoAddNew.json.php` endpoint, while the deletion endpoint `videoDelete.json.php` only checks if the user owns the video. This creates an asymmetric authorization boundary that can be exploited in two steps: first, a moderator transfers ownership of a video to themselves, then deletes it using their new ownership rights.'}, {'type': 'paragraph', 'content': 'Additional unauthorized actions possible include changing premium content flags, removing video passwords, altering video categories, and modifying user group visibility, all beyond the intended scope of the moderator role.'}] [2]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual privilege escalation activities involving the "Videos Moderator" role, specifically unauthorized ownership transfers and deletions of videos.'}, {'type': 'paragraph', 'content': 'Detection can involve checking logs or network traffic for POST requests to the endpoints `videoAddNew.json.php` and `videoDelete.json.php` that perform ownership changes or deletions by users with only moderator permissions.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server access logs or application logs for suspicious POST requests, for example using grep:'}, {'type': 'list_item', 'content': "grep 'POST /videoAddNew.json.php' /var/log/apache2/access.log | grep 'owner' # Detect ownership change attempts"}, {'type': 'list_item', 'content': "grep 'POST /videoDelete.json.php' /var/log/apache2/access.log # Detect video deletion attempts"}, {'type': 'paragraph', 'content': 'Additionally, monitoring user roles and permissions changes or auditing video ownership records for unexpected modifications can help identify exploitation attempts.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting the permissions of users with the "Videos Moderator" role to prevent them from performing full video management operations such as ownership transfer and deletion.'}, {'type': 'paragraph', 'content': 'Specifically, update the AVideo platform code to replace all uses of `Permissions::canModerateVideos()` with `Permissions::canAdminVideos()` in the `videoAddNew.json.php` file to ensure only users with admin-level video permissions can perform sensitive actions.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, consider temporarily removing or limiting the "Videos Moderator" permission from users until the fix can be applied.'}, {'type': 'paragraph', 'content': 'Apply the patch from commit 838e16818c793779406ecbf34ebaeba9830e33f8 which tightens authorization checks and prevents moderators from escalating privileges.'}, {'type': 'paragraph', 'content': 'Also, audit existing video ownership and permissions to detect and revert any unauthorized changes made exploiting this vulnerability.'}] [1, 2]

Impact Analysis

This vulnerability can have significant negative impacts on users and administrators of the WWBN AVideo platform.

  • Arbitrary deletion of any video on the platform, including those owned by administrators or other users.
  • Unauthorized modification of video content and metadata, such as removing password protection, changing video categories, or altering user group visibility.
  • Corruption of ownership records, which undermines audit trails and accountability.
  • Potential targeted destruction or tampering of high-value or sensitive video content.

Overall, the vulnerability compromises platform integrity, availability of content, and trust in access controls.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart