CVE-2026-33766
SSRF Bypass via Unvalidated Redirects in WWBN AVideo
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33766 is a Server-Side Request Forgery (SSRF) vulnerability in the WWBN AVideo open source video platform. The vulnerability occurs because the function isSSRFSafeURL() checks URLs against private or reserved IP ranges before fetching content, but the function url_get_contents() follows HTTP redirects automatically without re-validating the safety of the redirected URL. This allows an attacker to supply a public URL that passes the initial check but then redirects to an internal or private IP address, bypassing SSRF protections.
Specifically, an attacker can use a URL that responds with an HTTP 302 redirect to an internal IP address, such as cloud metadata service endpoints (e.g., AWS IMDSv1 at 169.254.169.254), gaining unauthorized access to internal network services. The vulnerability affects certain endpoints in the code where image URLs are validated and fetched.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass SSRF protections and make the server perform unauthorized requests to internal or private network resources. This can lead to unauthorized access to sensitive internal services, such as cloud metadata endpoints, which may expose credentials or other sensitive information.
By exploiting this vulnerability, attackers could potentially retrieve sensitive data, perform internal network reconnaissance, or leverage internal services to escalate their attack, compromising the security and integrity of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Server-Side Request Forgery (SSRF) via HTTP redirects that bypass URL safety checks. Detection can focus on monitoring HTTP requests made by the vulnerable application, especially those that follow redirects to internal or private IP addresses.
You can detect attempts to exploit this vulnerability by inspecting logs or network traffic for HTTP requests originating from the application to internal IP ranges (e.g., 169.254.169.254 or 192.168.x.x) that were initiated by redirects from public URLs.
- Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the server and filter for private IP ranges.
- Example tcpdump command to capture HTTP traffic to private IPs: sudo tcpdump -i any dst net 192.168.0.0/16 or dst net 10.0.0.0/8 or dst net 169.254.169.254 and port 80
- Check application logs for requests to the endpoint objects/aVideoEncoderReceiveImage.json.php with parameters like downloadURL_image that contain URLs which respond with HTTP 3xx redirects.
- Use curl with verbose output to test URLs that might redirect to internal IPs, for example: curl -v https://attacker.com/redir
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves disabling automatic HTTP redirect following in the vulnerable functions and implementing manual redirect handling with strict validation of each redirect target URL.
- In the PHP function url_get_contents(), set the stream context option 'follow_location' to 0 to disable automatic redirect following.
- Manually handle HTTP redirects by following up to a limited number (e.g., 5) of redirects, validating each redirect URL with isSSRFSafeURL() to ensure it does not point to internal or reserved IP addresses.
- For wget fallback on Windows, disable automatic redirects by adding the --max-redirect=0 option.
- Apply the patch from commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 which implements these changes.
These steps prevent attackers from bypassing SSRF protections by redirecting from a safe public URL to an internal or private IP address.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to bypass SSRF protections and access internal network services or cloud metadata endpoints by exploiting HTTP redirects. This unauthorized access to internal resources could potentially lead to exposure of sensitive data or internal infrastructure details.
Such unauthorized access and potential data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information and mandate strict controls on data access and network security.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.