CVE-2026-33297 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control. Version 26.0 contains a patch for the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-33297 affects the WWBN AVideo platform, specifically within the CustomizeUser plugin's `setPassword.json.php` endpoint. This issue represents a critical security flaw that undermines the platform's access control mechanisms and demonstrates poor input validation practices. The vulnerability exists in versions prior to 26.0, indicating that the developers recognized and addressed this weakness in their subsequent release. The flaw resides in how the system processes password values submitted through the administrative interface, creating a fundamental weakness in the authentication system that affects channel-level security controls.
The technical root cause of this vulnerability stems from a logic error in the password processing pipeline where non-numeric characters are silently converted to integer zero through implicit type coercion. This behavior violates fundamental security principles and represents a classic case of inadequate input sanitization. When administrators attempt to set channel passwords containing alphanumeric characters, special symbols, or other non-numeric values, the system fails to properly validate or sanitize these inputs before storage. The coercion to integer zero occurs at the data processing level, effectively nullifying any attempt to establish meaningful access controls. This type of vulnerability aligns with CWE-707, which addresses improper neutralization of input during web application design, and specifically relates to improper handling of data types in security-critical functions.
The operational impact of this vulnerability is severe and directly compromises the platform's security posture. Any visitor can trivially bypass channel-level access controls by simply guessing the password value of zero, rendering the entire channel protection mechanism ineffective. This creates a scenario where unauthorized users can gain access to protected content that administrators intended to restrict. The vulnerability affects all users who have been assigned channel passwords through the compromised endpoint, potentially exposing sensitive video content to the public. Attackers exploiting this weakness can systematically access any channel that has had a password set, undermining the platform's core security model and potentially exposing intellectual property or private content. The ease of exploitation, combined with the complete bypass of access controls, makes this vulnerability particularly dangerous in environments where content security is paramount.
Mitigation strategies for this vulnerability should focus on immediate patch deployment to version 26.0 or later, which contains the necessary fixes. Organizations should conduct comprehensive security assessments of their AVideo installations to identify any affected instances and ensure proper patch management protocols are in place. The fix should include proper input validation that rejects non-numeric characters or properly sanitizes all password inputs before storage. Security teams should implement monitoring for unauthorized password changes and consider temporary access restrictions while patches are deployed. This vulnerability demonstrates the importance of proper data type handling in security-sensitive applications and aligns with ATT&CK technique T1213.002, which covers data from information repositories, emphasizing the need for secure handling of user credentials and access controls. Additionally, organizations should review their input validation processes and implement robust sanitization routines to prevent similar issues in other components of their systems.