CVE-2026-33766
Received Received - Intake
SSRF Bypass via Unvalidated Redirects in WWBN AVideo

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33766
EUVD
EUVD-2026-16652
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33766 is a Server-Side Request Forgery (SSRF) vulnerability in the WWBN AVideo open source video platform. The vulnerability occurs because the function isSSRFSafeURL() checks URLs against private or reserved IP ranges before fetching content, but the function url_get_contents() follows HTTP redirects automatically without re-validating the safety of the redirected URL. This allows an attacker to supply a public URL that passes the initial check but then redirects to an internal or private IP address, bypassing SSRF protections.

Specifically, an attacker can use a URL that responds with an HTTP 302 redirect to an internal IP address, such as cloud metadata service endpoints (e.g., AWS IMDSv1 at 169.254.169.254), gaining unauthorized access to internal network services. The vulnerability affects certain endpoints in the code where image URLs are validated and fetched.

Impact Analysis

This vulnerability can allow an attacker to bypass SSRF protections and make the server perform unauthorized requests to internal or private network resources. This can lead to unauthorized access to sensitive internal services, such as cloud metadata endpoints, which may expose credentials or other sensitive information.

By exploiting this vulnerability, attackers could potentially retrieve sensitive data, perform internal network reconnaissance, or leverage internal services to escalate their attack, compromising the security and integrity of the affected system.

Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) via HTTP redirects that bypass URL safety checks. Detection can focus on monitoring HTTP requests made by the vulnerable application, especially those that follow redirects to internal or private IP addresses.

You can detect attempts to exploit this vulnerability by inspecting logs or network traffic for HTTP requests originating from the application to internal IP ranges (e.g., 169.254.169.254 or 192.168.x.x) that were initiated by redirects from public URLs.

  • Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the server and filter for private IP ranges.
  • Example tcpdump command to capture HTTP traffic to private IPs: sudo tcpdump -i any dst net 192.168.0.0/16 or dst net 10.0.0.0/8 or dst net 169.254.169.254 and port 80
  • Check application logs for requests to the endpoint objects/aVideoEncoderReceiveImage.json.php with parameters like downloadURL_image that contain URLs which respond with HTTP 3xx redirects.
  • Use curl with verbose output to test URLs that might redirect to internal IPs, for example: curl -v https://attacker.com/redir
Mitigation Strategies

Immediate mitigation involves disabling automatic HTTP redirect following in the vulnerable functions and implementing manual redirect handling with strict validation of each redirect target URL.

  • In the PHP function url_get_contents(), set the stream context option 'follow_location' to 0 to disable automatic redirect following.
  • Manually handle HTTP redirects by following up to a limited number (e.g., 5) of redirects, validating each redirect URL with isSSRFSafeURL() to ensure it does not point to internal or reserved IP addresses.
  • For wget fallback on Windows, disable automatic redirects by adding the --max-redirect=0 option.
  • Apply the patch from commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 which implements these changes.

These steps prevent attackers from bypassing SSRF protections by redirecting from a safe public URL to an internal or private IP address.

Compliance Impact

The vulnerability allows an attacker to bypass SSRF protections and access internal network services or cloud metadata endpoints by exploiting HTTP redirects. This unauthorized access to internal resources could potentially lead to exposure of sensitive data or internal infrastructure details.

Such unauthorized access and potential data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information and mandate strict controls on data access and network security.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart