CVE-2026-33037 in AVideo
Summary
by MITRE • 03/20/2026
WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33037 affects WWBN AVideo version 25.0 and earlier, representing a critical security flaw in the platform's default configuration. This issue stems from the inclusion of weak default credentials in the official Docker deployment artifacts, specifically the docker-compose.yml and env.example files that ship with the software. The administrative account is seeded with the password "password" without any mechanism to enforce password changes upon first login, creating an immediate and severe attack surface for any deployment that fails to override these defaults. The vulnerability aligns with CWE-798, which addresses the use of hard-coded credentials, and CWE-326, concerning weak encryption, as the password is hashed using the deprecated MD5 algorithm that provides minimal security protection. The flaw is particularly concerning because it enables complete administrative control of the platform with minimal effort, making it a prime target for automated exploitation campaigns.
The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides attackers with full administrative privileges that can be leveraged for extensive data breaches and system compromise. Once an attacker gains administrative access, they can manipulate user data, modify content, and potentially execute remote code through file upload mechanisms and plugin management capabilities. The database credentials are equally compromised, using the default values of "avideo/avideo" which further compounds the risk by allowing direct database access. This dual compromise significantly increases the attack surface and potential damage scope, as attackers can directly manipulate the underlying data store. The vulnerability is particularly dangerous in automated deployments and demonstration environments where security configuration is often overlooked or bypassed during rapid setup processes. According to ATT&CK framework, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers can leverage the default credentials to establish persistent access and then expand their compromise through other attack vectors.
The exploitation of this vulnerability requires minimal technical skill and relies entirely on operators failing to change the default configurations during deployment. This makes it highly prevalent in quick-start scenarios, automated deployments, and demo installations where security hardening is not prioritized. The default password is not only easily guessable but also widely known, making it trivial for attackers to gain administrative access. The absence of any compensating security controls such as password complexity requirements, default password detection mechanisms, or forced password change policies creates a complete security failure. The MD5 hashing of the password, while not directly exploitable for password recovery, provides no protection against rainbow table attacks or brute force attempts due to the weak nature of the algorithm. This vulnerability demonstrates a fundamental failure in secure-by-default configuration practices and highlights the importance of implementing proper security measures during software development and deployment processes. Organizations deploying this software without proper configuration changes are essentially providing a backdoor to their entire video platform infrastructure, making it a critical vulnerability that should be addressed immediately through patching or configuration hardening measures.