CVE-2026-33237 in AVideo
Summary
by MITRE • 03/21/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33237 affects the WWBN AVideo platform, specifically targeting the Scheduler plugin's execution functionality. This issue represents a critical server-side request forgery vulnerability that emerged in versions prior to 26.0, where the system's security controls were insufficient to prevent unauthorized internal network access through maliciously configured callback URLs. The vulnerability resides within the plugin/Scheduler/Scheduler.php file's run() function, which processes administrative configurations without adequate validation of the callback endpoints.
The technical flaw stems from inadequate input validation mechanisms within the Scheduler plugin's callback URL handling. While the system performs basic URL format validation using isValidURL(), it fails to implement the more robust SSRF protection measures that were subsequently applied to other endpoints in the platform. This disparity creates a security gap where administrators can configure scheduled tasks with callback URLs pointing to internal network resources, bypassing the standard security checks that would normally prevent access to private IP ranges, loopback addresses, and cloud metadata services. The missing isSSRFSafeURL() function call represents a critical oversight in the security architecture, as this function specifically blocks requests to RFC-1918 private addresses, localhost interfaces, and cloud provider metadata endpoints that could expose sensitive internal infrastructure.
The operational impact of this vulnerability extends beyond simple network reconnaissance, as it enables attackers to potentially compromise cloud infrastructure and internal services through legitimate administrative configurations. When an administrator sets up a scheduled task with a malicious callback URL pointing to internal cloud metadata services such as AWS EC2 metadata or Azure Instance Metadata Service, the system will execute requests to these endpoints without proper security restrictions. This capability allows for the extraction of sensitive information including instance IDs, security credentials, network configurations, and other metadata that could facilitate further attacks or compromise the entire cloud environment. The vulnerability particularly affects cloud deployments where internal services are accessible through metadata endpoints, making it a significant threat to organizations relying on cloud infrastructure.
The remediation for this vulnerability required the implementation of proper SSRF protection mechanisms within the Scheduler plugin, specifically the inclusion of the isSSRFSafeURL() validation function to prevent access to internal network resources. Version 26.0 addressed this issue by ensuring that all callback URLs, including those configured through the Scheduler plugin, undergo the same security validation as other endpoints in the platform. This patch aligns with industry best practices for preventing server-side request forgery attacks and demonstrates the importance of consistent security controls across all application components. Organizations should prioritize upgrading to version 26.0 or later to mitigate this vulnerability, while also reviewing existing scheduled tasks to ensure no malicious callback URLs have been configured. The vulnerability also highlights the necessity of comprehensive security testing that includes validation of all input handling mechanisms, particularly those involving external resource access. This issue falls under CWE-918, which specifically addresses server-side request forgery vulnerabilities, and aligns with ATT&CK technique T1071.004 for application layer protocol, where attackers exploit insecure URL handling to gain unauthorized access to internal resources through legitimate administrative functions.