CVE-2026-33685
Received Received - Intake
Unauthorized Data Exposure in WWBN AVideo AD_Server JSON API

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33685
EUVD
EUVD-2026-14496
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33685 is an authorization bypass vulnerability in the WWBN AVideo platform affecting versions up to 26.0. Specifically, the JSON API endpoints in the AD_Server plugin, such as `plugin/AD_Server/reports.json.php` and `plugin/AD_Server/getData.json.php`, do not perform any authentication or authorization checks. This allows any unauthenticated attacker to access sensitive ad campaign analytics data.

While the HTML (`reports.php`) and CSV export (`getCSV.php`) endpoints correctly restrict access to admin users, the JSON endpoints were left unprotected. As a result, attackers can extract data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts without needing to log in.

The vulnerability arises because the JSON endpoints fail to verify if the requester is an authenticated admin user before returning sensitive data.

Impact Analysis

This vulnerability allows unauthenticated attackers to access sensitive business and user data that should be restricted to administrators only.

  • Attackers can enumerate platform users by extracting user IDs and channel names.
  • They can extract detailed ad campaign intelligence including campaign names, types, and performance metrics.
  • Attackers can map video ownership to users and their ad revenue performance.
  • On multi-tenant instances, one content creator could access another creator’s sensitive ad performance data.

Overall, the exposure of this sensitive data can lead to business intelligence leaks and privacy concerns.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting unauthenticated access to the vulnerable JSON API endpoints in the WWBN AVideo platform, specifically `plugin/AD_Server/reports.json.php` and `plugin/AD_Server/getData.json.php`.

Proof of Concept (PoC) commands to test for unauthorized access include making HTTP requests to these endpoints with various parameters without authentication, such as:

  • Access ad performance by video: `plugin/AD_Server/reports.json.php?reportType=adsByVideo`
  • Access per-user ad analytics: `plugin/AD_Server/reports.json.php?reportType=adsByUser&users_id=1`
  • Access ad type breakdowns: `plugin/AD_Server/reports.json.php?reportType=adTypes`
  • Access ads for a specific video: `plugin/AD_Server/reports.json.php?reportType=adsForSingleVideo&videos_id=1`
  • Enumerate users by iterating user IDs via `plugin/AD_Server/reports.json.php` with appropriate parameters
  • Access aggregate ad view counts: `plugin/AD_Server/getData.json.php`

If these endpoints return sensitive data without requiring authentication, the system is vulnerable.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, restrict access to the affected JSON API endpoints by enforcing admin-only authorization checks.'}, {'type': 'paragraph', 'content': 'Specifically, add authorization checks using `User::isAdmin()` at the beginning of the following PHP files:'}, {'type': 'list_item', 'content': '`plugin/AD_Server/reports.json.php`'}, {'type': 'list_item', 'content': '`plugin/AD_Server/getData.json.php`'}, {'type': 'list_item', 'content': '`plugin/AD_Server/view/campaigns.json.php`'}, {'type': 'list_item', 'content': '`plugin/AD_Server/view/campaignsVideos.json.php`'}, {'type': 'paragraph', 'content': 'If the user is not an admin, the script should immediately terminate and return a 403 Forbidden response with an appropriate error message.'}, {'type': 'paragraph', 'content': 'Example PHP snippet to add after configuration loading:'}, {'type': 'list_item', 'content': "```php\nif (!User::isAdmin()) {\n header('HTTP/1.1 403 Forbidden');\n die(json_encode(['error' => 'You must be an admin to access this resource']));\n}\n```"}, {'type': 'paragraph', 'content': 'Applying this fix will prevent unauthorized users from accessing sensitive ad campaign analytics data.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart