CVE-2026-33043 in AVideo
Summary
by MITRE • 03/20/2026
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33043 affects the WWBN AVideo platform, an open source video management system that has been widely adopted for hosting and managing video content. This security flaw exists in versions 25.0 and earlier, representing a critical weakness in the platform's authentication and session management mechanisms. The vulnerability stems from improper handling of cross-origin resource sharing (CORS) headers within the platform's PHP session management component, creating a significant attack surface that can be exploited by malicious actors without requiring any authentication credentials.
The technical implementation of this vulnerability occurs through the /objects/phpsessionid.json.php endpoint which inadvertently exposes the current PHP session identifier to any unauthenticated request. This endpoint contains a flawed allowOrigin() function that reflects any Origin header back in the Access-Control-Allow-Origin response header while simultaneously setting Access-Control-Allow-Credentials to true. This combination creates a dangerous situation where an attacker can craft a malicious web page that makes requests to the vulnerable AVideo platform and steals session cookies from legitimate users. The reflected Origin header behavior allows for arbitrary domains to be granted credential access, effectively enabling cross-origin session theft attacks that can lead to complete account takeover.
The operational impact of this vulnerability is severe and far-reaching for any organization using affected versions of AVideo. Attackers can leverage this flaw to steal active user sessions and gain unauthorized access to accounts, potentially accessing sensitive video content, user data, and administrative functions. The vulnerability enables full account takeover because session IDs are exposed without proper authentication requirements, allowing malicious actors to impersonate legitimate users and perform actions within the platform as if they were authorized users. This type of vulnerability is particularly dangerous in environments where users may have elevated privileges or access to confidential content, as it can lead to data breaches and unauthorized modifications to video libraries.
This vulnerability aligns with CWE-346, which addresses "Origin Validation Error", and represents a classic example of insecure cross-origin resource sharing implementation. The flaw also maps to ATT&CK technique T1566.002, which involves social engineering through malicious links or files, as attackers could craft malicious web pages to exploit this CORS misconfiguration. Additionally, the vulnerability demonstrates characteristics of credential exposure and session hijacking patterns commonly found in web application security assessments. Organizations should immediately upgrade to version 26.0 or later to address this issue, as the fix properly implements CORS validation to prevent unauthorized origin reflection while maintaining proper session security measures. The vulnerability highlights the critical importance of proper CORS header implementation and session management in web applications to prevent unauthorized access and maintain user account integrity.