CVE-2026-33478 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The CVE-2026-33478 vulnerability affects WWBN AVideo video platform versions up to and including 26.0, presenting a critical chain of security flaws that enable completely unauthenticated remote code execution. This vulnerability demonstrates a classic case of insufficient authentication controls combined with command injection flaws, creating a pathway for attackers to gain full system control without requiring any credentials. The attack chain begins with the exposure of sensitive clone secret keys through the unauthenticated `clones.json.php` endpoint, which violates fundamental security principles of access control and privilege separation. This initial exposure represents a direct violation of CWE-284, which addresses improper access control, and creates a critical entry point that undermines the entire security model of the platform.
The vulnerability chain continues through the exploitation of the `cloneServer.json.php` endpoint, where the exposed secret keys enable attackers to trigger full database dumps without authentication. This represents a significant failure in input validation and access control mechanisms, as the system fails to properly verify the identity of requesting entities before providing sensitive data. The database dump contains admin password hashes stored using the insecure MD5 algorithm, which aligns with CWE-327, addressing the use of weak cryptographic algorithms. The trivially crackable MD5 hashes demonstrate a fundamental security weakness in password storage practices, as MD5 is no longer considered cryptographically secure for password hashing purposes and can be rapidly cracked using rainbow table attacks or brute force methods.
Once administrative access is obtained through password cracking, the vulnerability escalates to a full remote code execution capability through an OS command injection flaw in the `cloneClient.json.php` endpoint. The rsync command construction in this component demonstrates a classic command injection vulnerability where user-controllable input is directly incorporated into system commands without proper sanitization or escaping. This flaw directly relates to CWE-78, which addresses OS command injection, and provides attackers with complete system control through the execution of arbitrary commands on the underlying operating system. The combination of these vulnerabilities creates a multi-stage attack that leverages each weakness to progressively escalate privileges and ultimately achieve complete system compromise.
This vulnerability represents a significant concern for organizations using AVideo platforms, as it allows attackers to execute arbitrary code remotely without authentication, potentially leading to complete system takeover, data exfiltration, and further lateral movement within network environments. The attack vector demonstrates how multiple security failures can compound to create severe consequences, with the initial lack of authentication allowing access to sensitive data, followed by weak cryptographic practices enabling credential compromise, and finally command injection providing the ultimate execution capability. Organizations should immediately apply the patch referenced in commit c85d076375fab095a14170df7ddb27058134d38c to remediate this vulnerability. The incident highlights the importance of implementing proper access controls, using strong cryptographic algorithms for password storage, and implementing proper input validation and sanitization to prevent command injection attacks. This vulnerability also aligns with ATT&CK technique T1059.001, which covers command and script injection, and demonstrates how multiple attack techniques can be chained together to achieve comprehensive system compromise. The flaw underscores the critical need for security reviews of authentication mechanisms and input handling processes in web applications to prevent such cascading security failures that can lead to complete system takeover.