CVE-2026-33692
Received Received - Intake

WWBN AVideo .env File Exposure via Docker Misconfiguration

Vulnerability report for CVE-2026-33692, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. Versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mounts the entire project root directory as the Apache document root, causing the .env file β€” which contains database credentials, admin passwords, and infrastructure configuration β€” to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network. This issue has been resolved in version 29.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

WWBN AVideo prior to version 29.0 has a flaw in its Docker setup. The docker-compose.yml file incorrectly mounts the entire project root as the Apache document root, exposing sensitive .env files containing database credentials and passwords to unauthenticated users via /.env.

Detection Guidance

Check if your AVideo Docker deployment exposes the .env file by accessing http://your-server/.env in a browser or using curl. If the file is accessible, it will reveal sensitive credentials and configuration details.

Impact Analysis

Attackers can access the .env file to obtain database credentials and admin passwords, leading to database compromise, admin panel takeover, and potential lateral movement within the Docker network.

Compliance Impact

This vulnerability likely violates GDPR due to unauthorized access to personal data and HIPAA if health-related data is exposed. It compromises confidentiality requirements and may lead to regulatory penalties.

Mitigation Strategies

Upgrade AVideo to version 29.0 or later immediately. If upgrading is not possible, modify the Docker configuration to exclude the .env file from the document root or add an Apache rule to block access to dotfiles.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart