CVE-2026-33650
Privilege Escalation in WWBN AVideo via Inadequate Video Permission Checks
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33650 is a privilege escalation vulnerability in the WWBN AVideo platform affecting versions up to and including 26.0. It allows a user with the "Videos Moderator" permission, which is intended only to allow limited video publicity changes (such as setting videos to Active, Inactive, or Unlisted), to escalate their privileges and perform full video management operations. This includes transferring ownership of any video and deleting any video.'}, {'type': 'paragraph', 'content': 'The root cause is an authorization logic flaw where the permission check `Permissions::canModerateVideos()` is incorrectly used as a gate for full video editing in the `videoAddNew.json.php` endpoint, while the deletion endpoint `videoDelete.json.php` only checks if the user owns the video. This creates an asymmetric authorization boundary that can be exploited in two steps: first, a moderator transfers ownership of a video to themselves, then deletes it using their new ownership rights.'}, {'type': 'paragraph', 'content': 'Additional unauthorized actions possible include changing premium content flags, removing video passwords, altering video categories, and modifying user group visibility, all beyond the intended scope of the moderator role.'}] [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual privilege escalation activities involving the "Videos Moderator" role, specifically unauthorized ownership transfers and deletions of videos.'}, {'type': 'paragraph', 'content': 'Detection can involve checking logs or network traffic for POST requests to the endpoints `videoAddNew.json.php` and `videoDelete.json.php` that perform ownership changes or deletions by users with only moderator permissions.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server access logs or application logs for suspicious POST requests, for example using grep:'}, {'type': 'list_item', 'content': "grep 'POST /videoAddNew.json.php' /var/log/apache2/access.log | grep 'owner' # Detect ownership change attempts"}, {'type': 'list_item', 'content': "grep 'POST /videoDelete.json.php' /var/log/apache2/access.log # Detect video deletion attempts"}, {'type': 'paragraph', 'content': 'Additionally, monitoring user roles and permissions changes or auditing video ownership records for unexpected modifications can help identify exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting the permissions of users with the "Videos Moderator" role to prevent them from performing full video management operations such as ownership transfer and deletion.'}, {'type': 'paragraph', 'content': 'Specifically, update the AVideo platform code to replace all uses of `Permissions::canModerateVideos()` with `Permissions::canAdminVideos()` in the `videoAddNew.json.php` file to ensure only users with admin-level video permissions can perform sensitive actions.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, consider temporarily removing or limiting the "Videos Moderator" permission from users until the fix can be applied.'}, {'type': 'paragraph', 'content': 'Apply the patch from commit 838e16818c793779406ecbf34ebaeba9830e33f8 which tightens authorization checks and prevents moderators from escalating privileges.'}, {'type': 'paragraph', 'content': 'Also, audit existing video ownership and permissions to detect and revert any unauthorized changes made exploiting this vulnerability.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have significant negative impacts on users and administrators of the WWBN AVideo platform.
- Arbitrary deletion of any video on the platform, including those owned by administrators or other users.
- Unauthorized modification of video content and metadata, such as removing password protection, changing video categories, or altering user group visibility.
- Corruption of ownership records, which undermines audit trails and accountability.
- Potential targeted destruction or tampering of high-value or sensitive video content.
Overall, the vulnerability compromises platform integrity, availability of content, and trust in access controls.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know