CVE-2026-33759
Unauthorized Access in WWBN AVideo Playlist Endpoint
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access private playlists, including watch history and favorite videos, exposing sensitive video metadata and user information without authorization.
Such unauthorized disclosure of personal viewing habits and content preferences constitutes a privacy violation, which can negatively impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive user data.
By failing to enforce authorization checks, the platform risks exposing personally identifiable information (PII) and user behavior data, potentially leading to regulatory non-compliance and associated legal or financial consequences.
Can you explain this vulnerability to me?
CVE-2026-33759 is an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform. The vulnerability exists in the endpoint `objects/playlistsVideos.json.php`, which returns the full video contents of any playlist by its sequential integer playlist ID without performing any authentication or authorization checks.
While private playlists such as 'watch_later' and 'favorite' are hidden from user-facing listing endpoints, their contents can still be accessed directly by providing the playlist ID to this vulnerable endpoint. This allows an attacker to enumerate playlist IDs and retrieve private video contents and metadata without logging in.
The root cause is missing authorization checks before returning playlist contents, classified as CWE-862: Missing Authorization.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to access all users' private playlist contents, including watch history and favorite videos.
Sensitive video metadata and user information such as titles, filenames, URLs, user details, comments, and subscriber counts are exposed.
This leads to a privacy violation by revealing user viewing habits and content preferences without any user interaction or privileges required.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.3, indicating it is exploitable over the network with low complexity and no authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the endpoint `objects/playlistsVideos.json.php` with different sequential integer values for the `playlists_id` parameter without authentication. If the endpoint returns playlist contents, including private playlists such as 'watch_later' or 'favorite', it indicates the system is vulnerable.
A simple detection method is to send HTTP GET requests incrementing the `playlists_id` parameter and observe if playlist data is returned without authentication.
- Use curl or similar tools to test access, for example:
- curl -i "http://<target>/objects/playlistsVideos.json.php?playlists_id=1"
- curl -i "http://<target>/objects/playlistsVideos.json.php?playlists_id=2"
- Increment the `playlists_id` value to enumerate playlists and check if private playlist contents are accessible.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, implement authorization checks on the `objects/playlistsVideos.json.php` endpoint before returning playlist contents.
Specifically:
- Validate the `playlists_id` parameter and load the corresponding playlist.
- Check if the playlist is public or unlisted; if not, verify that the requester is authenticated and is either the owner of the playlist or an administrator.
- If the authorization check fails, respond with HTTP 403 Forbidden and an appropriate error message.
- Only allow access to playlist contents if the authorization check passes.
Applying the patch from commit bb716fbece656c9fe39784f11e4e822b5867f1ca is recommended, as it corrects permission handling and enforces these authorization checks.