CVE-2026-33650: High Vulnerability in WWBN AVideo

CVE-2026-33650 is a high-severity vulnerability affecting WWBN AVideo, an open-source video platform. The vulnerability allows a user with the "Videos Moderator" permission to escalate privileges and perform full video management operations, including ownership transfer and deletion of any video. This is significant because the permission is documented to only allow changes related to video publicity (Active, Inactive, Unlisted). The root cause is attributed to an authorization flaw in the system.

The vulnerability exists in versions up to and including 26.0. The exploitation path involves using the `Permissions::canModerateVideos()` function as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` exclusively checks ownership. This creates an asymmetric authorization boundary that can be exploited via a two-step chain involving ownership transfer followed by video deletion.

The CVSS score for this vulnerability is 7.6, indicating a high severity level. The attack vector is network-based, with low complexity and low privileges required for exploitation. The confidentiality impact is low, while the integrity impact is high, making this a critical vulnerability to address. Organizations using affected versions should prioritize patching immediately.

The vulnerability was published on March 23, 2026. The patch for this issue can be found in commit 838e16818c793779406ecbf34ebaeba9830e33f8. Organizations should ensure they are running the latest version of AVideo to mitigate the risk associated with this vulnerability.

Risk to organizations includes potential unauthorized access to and management of videos, which can lead to data leaks or content manipulation. Given the potential impact, it is essential that organizations assess their exposure and respond accordingly.

Vulnerability Details

The vulnerability allows a user with the "Videos Moderator" permission to escalate privileges beyond their intended scope. The root cause stems from a flaw in the authorization checks within the application. The following are the specifics of this vulnerability:

CVE ID: CVE-2026-33650

CVSS Score: 7.6 (High)

Affected Product: WWBN AVideo

Publication Date: March 23, 2026

CWE Classification: CWE-863 (Authorization Bypass)

Technical Analysis

The vulnerability is rooted in the way permissions are checked within the application. Specifically, the `Permissions::canModerateVideos()` function is used incorrectly as an authorization gate for full video editing. This should have been limited to the specific actions that the permission allows.

The attack vector is network-based, requiring low complexity and low privileges to exploit. Importantly, no user interaction is necessary, further increasing the potential for exploitation. The impacts on confidentiality are limited, but the integrity impact is significant due to the ability to delete videos.

Organizations should be aware that the vulnerability allows an attacker to exploit the asymmetric authorization boundary through a two-step process. First, the attacker can transfer ownership of a video, and then delete it, effectively bypassing the intended restrictions.

Risk & Impact Analysis

This vulnerability poses a significant risk to organizations using AVideo due to the potential for unauthorized video manipulation and deletion. The ability for a user to escalate their permissions can lead to serious repercussions, including loss of valuable data and potential legal liabilities.

With a CVSS score of 7.6, organizations should take immediate action to remediate this vulnerability. The exploitability score indicates a moderate likelihood of exploitation, and the integrity impact is critical due to the nature of the operations that can be performed.

Organizations should address this vulnerability in their priority patch cycle to mitigate risks effectively. The blast radius of this vulnerability could extend beyond individual users, affecting the entire platform and its content management capabilities.

Exploitation Status

Affected Versions

All versions up to and including 26.0 of WWBN AVideo are affected by this vulnerability. Organizations should ensure they have updated to the latest version to mitigate any risk.

Mitigation & Remediation

Organizations should prioritize patching immediately by upgrading to the latest version of AVideo. The patch introduced by commit 838e16818c793779406ecbf34ebaeba9830e33f8 addresses the authorization issues.

In cases where immediate patching is not possible, organizations should consider implementing strict access controls and monitoring for unusual activity related to video management operations.

Continuous security testing may also help identify any potential exploitation attempts.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unauthorized video deletions and unexpected ownership transfers. Behavioral anomalies related to video management operations should also be flagged for further investigation.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of robust permission checks within applications. Security teams should review their authorization models to ensure that permissions align with intended user capabilities.

The incident represents a broader trend in application security where insufficient authorization checks lead to significant risks. Organizations should take proactive steps to improve their security posture to prevent similar vulnerabilities.

For further insights, organizations can refer to best practices on penetration testing methodology and the importance of regular security assessments.

Organizations can also benefit from understanding the role of vulnerability management programs in maintaining security over time.

Overall, the lessons learned from CVE-2026-33650 can inform future security measures and ensure that organizations remain vigilant against similar threats.